Vulnerability Description
Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gnupg | Libgcrypt | <= 1.5.3 |
| Debian | Debian Linux | 7.0 |
Related Weaknesses (CWE)
References
- http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.htmlPatchVendor Advisory
- http://openwall.com/lists/oss-security/2014/08/16/2Mailing ListThird Party Advisory
- http://www.cs.tau.ac.il/~tromer/handsoff/Technical Description
- http://www.debian.org/security/2014/dsa-3024
- http://www.debian.org/security/2014/dsa-3073Third Party Advisory
- http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.htmlPatchVendor Advisory
- http://openwall.com/lists/oss-security/2014/08/16/2Mailing ListThird Party Advisory
- http://www.cs.tau.ac.il/~tromer/handsoff/Technical Description
- http://www.debian.org/security/2014/dsa-3024
- http://www.debian.org/security/2014/dsa-3073Third Party Advisory
FAQ
What is CVE-2014-5270?
CVE-2014-5270 is a vulnerability with a CVSS score of 2.1 (LOW). Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers t...
How severe is CVE-2014-5270?
CVE-2014-5270 has been rated LOW with a CVSS base score of 2.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-5270?
Check the references section above for vendor advisories and patch information. Affected products include: Gnupg Libgcrypt, Debian Debian Linux.