Vulnerability CVE-2018-0495


Published: 2018-06-13

Description:
Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.

Type:

CWE-200

(Information Exposure)

Vendor: Debian
Product: Debian linux 
Version: 9.0; 8.0;
Vendor: Canonical
Product: Ubuntu linux 
Version:
18.04
17.10
16.04
14.04
12.04
See more versions on NVD
Vendor: Gnupg
Product: Libgcrypt 
Version:
1.8.2
1.8.1
1.8.0
1.7.9
1.7.8
1.7.7
1.7.6
1.7.5
1.7.4
1.7.3
1.7.2
1.7.1
1.7.0
1.6.6
1.6.5
1.6.4
1.6.3
1.6.2
1.6.1
1.6.0
1.5.6
1.5.5
1.5.4
1.5.3
1.5.2
1.5.1
1.5.0
1.4.6
1.4.5
1.4.4
1.4.3
1.4.2
1.4.1
1.4.0
1.3.2
1.3.1
1.3.0
1.2.4
1.2.3
1.2.2
1.2.1
1.2.0
1.1.94
1.1.93
1.1.92
1.1.91
1.1.90
1.1.9
1.1.8
1.1.7
1.1.6
1.1.5
1.1.44
1.1.43
1.1.42
1.1.4
1.1.3
1.1.2
1.1.12
1.1.11
1.1.10
1.1.0
1.0.4
1.0.3
1.0.2
1.0.1
1.0.0
0.9.9
0.9.8
0.9.7
0.9.6
0.9.5
0.9.4
0.9.3
0.9.2
0.9.11
0.9.10
0.9.1
0.9.0
0.4.5
0.4.4
0.4.3
0.4.2
0.4.1
0.4.0
0.3.5
0.3.4
0.3.3
0.3.2
0.3.1
0.3.0
0.2.8
0.2.6
See more versions on NVD

CVSS2 => (AV:L/AC:M/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
1.9/10
2.9/10
3.4/10
Exploit range
Attack complexity
Authentication
Local
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
http://www.securitytracker.com/id/1041144
http://www.securitytracker.com/id/1041147
https://dev.gnupg.org/T4011
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965
https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html
https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html
https://usn.ubuntu.com/3689-1/
https://usn.ubuntu.com/3689-2/
https://usn.ubuntu.com/3692-1/
https://usn.ubuntu.com/3692-2/
https://www.debian.org/security/2018/dsa-4231
https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/

Related CVE
CVE-2017-7526
libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 w...
CVE-2018-12438
The Elliptic Curve Cryptography library (aka sunec or libsunec) allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the loc...
CVE-2018-12437
LibTomCrypt through 1.18.1 allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual mac...
CVE-2018-12433
** DISPUTED ** cryptlib through 3.4.4 allows a memory-cache side-channel attack on DSA and ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover a key, the attacker needs access to either the local machine or a different...
CVE-2018-12020
mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" optio...
CVE-2018-9234
GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.
CVE-2018-6829
cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of...
CVE-2017-0379
Libgcrypt before 1.8.1 does not properly consider Curve25519 side-channel attacks, which makes it easier for attackers to discover a secret key, related to cipher/ecc.c and mpi/ec.c.

Copyright 2018, cxsecurity.com

 

Back to Top