CVE-2017-7526 — MEDIUM (6.1)

Q: How severe is CVE-2017-7526?

CVE-2017-7526 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2017-7526?

Check the references section above for vendor advisories and patch information. Affected products include: Gnupg Libgcrypt, Canonical Ubuntu Linux, Debian Debian Linux.

Vulnerability Description

libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used.

CVSS Score

6.1

MEDIUM

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Gnupg	Libgcrypt	< 1.7.8
Canonical	Ubuntu Linux	12.04
Debian	Debian Linux	8.0

Related Weaknesses (CWE)

CWE-310 CWE-200

References

http://www.securityfocus.com/bid/99338Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1038915Third Party AdvisoryVDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7526Issue TrackingPatchThird Party Advisory
https://eprint.iacr.org/2017/627Third Party Advisory
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=78130828
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=8725c99f
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=e6a3dc99
https://lists.gnupg.org/pipermail/gnupg-announce/2017q2/000408.htmlMailing ListVendor Advisory
https://usn.ubuntu.com/3733-1/Third Party Advisory
https://usn.ubuntu.com/3733-2/Third Party Advisory
https://www.debian.org/security/2017/dsa-3901Third Party Advisory
https://www.debian.org/security/2017/dsa-3960Third Party Advisory
http://www.securityfocus.com/bid/99338Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1038915Third Party AdvisoryVDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7526Issue TrackingPatchThird Party Advisory

FAQ

What is CVE-2017-7526?

CVE-2017-7526 is a vulnerability with a CVSS score of 6.1 (MEDIUM). libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion....

How severe is CVE-2017-7526?

CVE-2017-7526 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-7526?

Check the references section above for vendor advisories and patch information. Affected products include: Gnupg Libgcrypt, Canonical Ubuntu Linux, Debian Debian Linux.