Vulnerability Description
The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a "Last-Level Cache Side-Channel Attack."
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gnupg | Gnupg | < 1.4.19 |
| Gnupg | Libgcrypt | < 1.6.3 |
| Debian | Debian Linux | 7.0 |
Related Weaknesses (CWE)
References
- http://www.debian.org/security/2015/dsa-3184Third Party Advisory
- http://www.debian.org/security/2015/dsa-3185Third Party Advisory
- https://ieeexplore.ieee.org/document/7163050Third Party Advisory
- https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.htmlMailing ListVendor Advisory
- https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000364.htmlMailing ListVendor Advisory
- http://www.debian.org/security/2015/dsa-3184Third Party Advisory
- http://www.debian.org/security/2015/dsa-3185Third Party Advisory
- https://ieeexplore.ieee.org/document/7163050Third Party Advisory
- https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.htmlMailing ListVendor Advisory
- https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000364.htmlMailing ListVendor Advisory
FAQ
What is CVE-2015-0837?
CVE-2015-0837 is a vulnerability with a CVSS score of 5.9 (MEDIUM). The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during mod...
How severe is CVE-2015-0837?
CVE-2015-0837 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-0837?
Check the references section above for vendor advisories and patch information. Affected products include: Gnupg Gnupg, Gnupg Libgcrypt, Debian Debian Linux.