CVE-2015-0837

Опубликовано: 27 фев. 2015

Источник: redhat

CVSS2: 1.2

Описание

The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a "Last-Level Cache Side-Channel Attack."

Отчет

Red Hat Product Security has rated this issue as having low security impact, a future update may address this flaw in the libgcrypt and gnupg2 packages. The attack leading to this flaw, is difficult to conduct in practice especially for cross-vm environments, mainly because the attacker needs to run their timing attack script at the exact same time decryption runs on the victim machine. Also this is essentially a chosen ciphertext attack because the attacker provides the ciphertext which the victim needs to be decrypt. Such actions only work when there is sufficient social engineer involved.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat Enterprise Linux 5	gnupg	Will not fix
Red Hat Enterprise Linux 5	gnupg2	Will not fix
Red Hat Enterprise Linux 5	libgcrypt	Will not fix
Red Hat Enterprise Linux 6	gnupg2	Will not fix
Red Hat Enterprise Linux 6	libgcrypt	Will not fix
Red Hat Enterprise Linux 7	gnupg2	Will not fix
Red Hat Enterprise Linux 7	libgcrypt	Will not fix
Red Hat Enterprise Virtualization 3	mingw-virt-viewer	Fix deferred