CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-6829
https://notcve.org/view.php?id=CVE-2018-6829
cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation. cipher/elgamal.c en Libgcrypt hasta la versión 1.8.2, al emplearse para cifrar mensajes directamente, cifra los textos planos indebidamente, lo que permite que atacantes remotos obtengan información sensible mediante la lectura de datos en texto cifrado (p.ej., no tiene seguridad semántica a la hora de enfrentarse a un ataque solo en texto cifrado). La hipótesis DDH (Decisional Diffie-Hellman) no soporta la implementación ElGamal de Libgcrypt. • https://github.com/weikengchen/attack-on-libgcrypt-elgamal https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html https://www.oracle.com/security-alerts/cpujan2020.html • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-0379
https://notcve.org/view.php?id=CVE-2017-0379
Libgcrypt before 1.8.1 does not properly consider Curve25519 side-channel attacks, which makes it easier for attackers to discover a secret key, related to cipher/ecc.c and mpi/ec.c. Libgcrypt en versiones anteriores a la 1.8.1 no considera correctamente ataques de canal lateral Curve25519, lo que facilita que los atacantes descubran una clave secreta relacionada con cipher/ecc.c y mpi/ec.c. • http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.securityfocus.com/bid/100503 http://www.securitytracker.com/id/1041294 https://bugs.debian.org/873383 https://eprint.iacr.org/2017/806 https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=da780c8183cccc8f533c8ace8211ac2cb2bdee7b https://lists.debian.org/debian-security-announce/2017/msg00221.html https://security-tracker.debian.org/tracker/CVE-2017-0379 https://security.netapp.com/advisory/ntap • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 0CVE-2017-7526
https://notcve.org/view.php?id=CVE-2017-7526
libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used. libgcrypt en versiones anteriores a la 1.7.8 es vulnerable a un ataque de canal lateral de memoria caché, resultando en una brecha completa de RSA-1024 cuando se utiliza un método left-to-right para procesar la expansión de la ventana deslizante. Se cree que el mismo ataque funciona en RSA-2048 con un nivel de procesamiento moderadamente mayor. Este canal lateral necesita que el atacante pueda ejecutar software arbitrario en el hardware en donde se utiliza la clave privada RSA. • http://www.securityfocus.com/bid/99338 http://www.securitytracker.com/id/1038915 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7526 https://eprint.iacr.org/2017/627 https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=78130828e9a140a9de4dafadbc844dbb64cb709a https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=8725c99ffa41778f382ca97233183bcd687bb0ce https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=e6a3dc9900433bbc8ad362a595a3837318c28fa9 https: • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-310: Cryptographic Issues •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9526
https://notcve.org/view.php?id=CVE-2017-9526
In Libgcrypt before 1.7.7, an attacker who learns the EdDSA session key (from side-channel observation during the signing process) can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this session key in secure memory, to ensure that constant-time point operations are used in the MPI library. En Libgcrypt, anterior a versión 1.7.7, un atacante que aprende la clave de sesión EdDSA (de la observación del canal lateral durante el proceso de firma) puede fácilmente recuperar la clave secreta a largo plazo . 1.7.7 haciendo un cambio del archivo cipher/ecc-eddsa.c para almacenar esta clave de sesión en memoria segura, y así garantizar que operaciones puntuales de tiempo constante sean usadas en la biblioteca MPI. • http://www.debian.org/security/2017/dsa-3880 http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.securityfocus.com/bid/99046 https://bugzilla.suse.com/show_bug.cgi?id=1042326 https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=5a22de904a0a366ae79f03ff1e13a1232a89e26b https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=f9494b3f258e01b6af8bd3941ce436bcc00afc56 https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 15EXPL: 0CVE-2016-6313 – libgcrypt: PRNG output is predictable
https://notcve.org/view.php?id=CVE-2016-6313
The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits. Las funciones de mezcla en el generador de números aleatorios en Libgcrypt en versiones anteriores a 1.5.6, 1.6.x en versiones anteriores a 1.6.6 y 1.7.x en versiones anteriores a 1.7.3 y GnuPG en versiones anteriores a 1.4.21 hacen más fácil para atacantes obtener valores de 160 bits aprovechando el conocimiento de los 4640 bits previos. A design flaw was found in the libgcrypt PRNG (Pseudo-Random Number Generator). An attacker able to obtain the first 580 bytes of the PRNG output could predict the following 20 bytes. • http://rhn.redhat.com/errata/RHSA-2016-2674.html http://www.debian.org/security/2016/dsa-3649 http://www.debian.org/security/2016/dsa-3650 http://www.securityfocus.com/bid/92527 http://www.securitytracker.com/id/1036635 http://www.ubuntu.com/usn/USN-3064-1 http://www.ubuntu.com/usn/USN-3065-1 https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=blob_plain%3Bf=NEWS https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html https://securit • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •