CVE-2014-5270
Severity Score
2.1
*CVSS v2
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.
Libgcrypt anterior a 1.5.4, utilizado en GnuPG y otros productos, no realiza debidamente la normalización y aleatorización de texto cifrado, lo que facilita a atacantes físicamente próximos realizar ataques de extracción de claves mediante el aprovechamiento de la habilidad de recoger datos de voltaje del metal expuesto, un vector deferente a CVE-2013-4576.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2014-08-15 CVE Reserved
- 2014-08-29 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| http://openwall.com/lists/oss-security/2014/08/16/2 | Mailing List | |
| http://www.cs.tau.ac.il/~tromer/handsoff | Technical Description |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html | 2017-11-04 |
| URL | Date | SRC |
|---|---|---|
| http://www.debian.org/security/2014/dsa-3024 | 2017-11-04 | |
| http://www.debian.org/security/2014/dsa-3073 | 2017-11-04 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Gnupg Search vendor "Gnupg" | Libgcrypt Search vendor "Gnupg" for product "Libgcrypt" | <= 1.5.3 Search vendor "Gnupg" for product "Libgcrypt" and version " <= 1.5.3" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Libgcrypt Search vendor "Gnupg" for product "Libgcrypt" | 1.4.0 Search vendor "Gnupg" for product "Libgcrypt" and version "1.4.0" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Libgcrypt Search vendor "Gnupg" for product "Libgcrypt" | 1.4.3 Search vendor "Gnupg" for product "Libgcrypt" and version "1.4.3" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Libgcrypt Search vendor "Gnupg" for product "Libgcrypt" | 1.4.4 Search vendor "Gnupg" for product "Libgcrypt" and version "1.4.4" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Libgcrypt Search vendor "Gnupg" for product "Libgcrypt" | 1.4.5 Search vendor "Gnupg" for product "Libgcrypt" and version "1.4.5" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Libgcrypt Search vendor "Gnupg" for product "Libgcrypt" | 1.4.6 Search vendor "Gnupg" for product "Libgcrypt" and version "1.4.6" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Libgcrypt Search vendor "Gnupg" for product "Libgcrypt" | 1.5.0 Search vendor "Gnupg" for product "Libgcrypt" and version "1.5.0" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Libgcrypt Search vendor "Gnupg" for product "Libgcrypt" | 1.5.1 Search vendor "Gnupg" for product "Libgcrypt" and version "1.5.1" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Libgcrypt Search vendor "Gnupg" for product "Libgcrypt" | 1.5.2 Search vendor "Gnupg" for product "Libgcrypt" and version "1.5.2" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0" | - |
Affected
| ||||||