Huawei EulerOS Local Security Checks : Huawei EulerOS: Security Advisory for libgcrypt (EulerOS-SA-2020-1498)

Búsqueda de Vulnerabilidad		Buscar 219043 Descripciones CVE y 99761 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.1.2.2020.1498

Categoría: Huawei EulerOS Local Security Checks

Título: Huawei EulerOS: Security Advisory for libgcrypt (EulerOS-SA-2020-1498)

Resumen: The remote host is missing an update for the Huawei EulerOS 'libgcrypt' package(s) announced via the EulerOS-SA-2020-1498 advisory.

Descripción: Summary:
The remote host is missing an update for the Huawei EulerOS 'libgcrypt' package(s) announced via the EulerOS-SA-2020-1498 advisory.

Vulnerability Insight:
Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.(CVE-2014-5270)

libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used.(CVE-2017-7526)

Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.(CVE-2014-3591)

The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a 'Last-Level Cache Side-Channel Attack.'(CVE-2015-0837)

Affected Software/OS:
'libgcrypt' package(s) on Huawei EulerOS Virtualization 3.0.2.2.

Solution:
Please install the updated package(s).

CVSS Score:
4.3

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:N/A:N

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2014-3591
http://www.cs.tau.ac.il/~tromer/radioexp/
http://www.debian.org/security/2015/dsa-3184
http://www.debian.org/security/2015/dsa-3185
https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html
https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000364.html
Common Vulnerability Exposure (CVE) ID: CVE-2014-5270
Debian Security Information: DSA-3024 (Google Search)
http://www.debian.org/security/2014/dsa-3024
Debian Security Information: DSA-3073 (Google Search)
http://www.debian.org/security/2014/dsa-3073
http://www.cs.tau.ac.il/~tromer/handsoff/
http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html
http://openwall.com/lists/oss-security/2014/08/16/2
Common Vulnerability Exposure (CVE) ID: CVE-2015-0837
https://ieeexplore.ieee.org/document/7163050
Common Vulnerability Exposure (CVE) ID: CVE-2017-7526
BugTraq ID: 99338
http://www.securityfocus.com/bid/99338
Debian Security Information: DSA-3901 (Google Search)
https://www.debian.org/security/2017/dsa-3901
Debian Security Information: DSA-3960 (Google Search)
https://www.debian.org/security/2017/dsa-3960
https://eprint.iacr.org/2017/627
https://lists.gnupg.org/pipermail/gnupg-announce/2017q2/000408.html
http://www.securitytracker.com/id/1038915
https://usn.ubuntu.com/3733-1/
https://usn.ubuntu.com/3733-2/

Copyright Copyright (C) 2020 Greenbone Networks GmbH

Esta es sólo una de 99761 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.1.2.2020.1498
Categoría:	Huawei EulerOS Local Security Checks
Título:	Huawei EulerOS: Security Advisory for libgcrypt (EulerOS-SA-2020-1498)
Resumen:	The remote host is missing an update for the Huawei EulerOS 'libgcrypt' package(s) announced via the EulerOS-SA-2020-1498 advisory.
Descripción:	Summary: The remote host is missing an update for the Huawei EulerOS 'libgcrypt' package(s) announced via the EulerOS-SA-2020-1498 advisory. Vulnerability Insight: Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.(CVE-2014-5270) libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used.(CVE-2017-7526) Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.(CVE-2014-3591) The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a 'Last-Level Cache Side-Channel Attack.'(CVE-2015-0837) Affected Software/OS: 'libgcrypt' package(s) on Huawei EulerOS Virtualization 3.0.2.2. Solution: Please install the updated package(s). CVSS Score: 4.3 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2014-3591 http://www.cs.tau.ac.il/~tromer/radioexp/ http://www.debian.org/security/2015/dsa-3184 http://www.debian.org/security/2015/dsa-3185 https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000364.html Common Vulnerability Exposure (CVE) ID: CVE-2014-5270 Debian Security Information: DSA-3024 (Google Search) http://www.debian.org/security/2014/dsa-3024 Debian Security Information: DSA-3073 (Google Search) http://www.debian.org/security/2014/dsa-3073 http://www.cs.tau.ac.il/~tromer/handsoff/ http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html http://openwall.com/lists/oss-security/2014/08/16/2 Common Vulnerability Exposure (CVE) ID: CVE-2015-0837 https://ieeexplore.ieee.org/document/7163050 Common Vulnerability Exposure (CVE) ID: CVE-2017-7526 BugTraq ID: 99338 http://www.securityfocus.com/bid/99338 Debian Security Information: DSA-3901 (Google Search) https://www.debian.org/security/2017/dsa-3901 Debian Security Information: DSA-3960 (Google Search) https://www.debian.org/security/2017/dsa-3960 https://eprint.iacr.org/2017/627 https://lists.gnupg.org/pipermail/gnupg-announce/2017q2/000408.html http://www.securitytracker.com/id/1038915 https://usn.ubuntu.com/3733-1/ https://usn.ubuntu.com/3733-2/
Copyright	Copyright (C) 2020 Greenbone Networks GmbH