CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
74.6%
Severity: Medium
Date : 2017-09-18
CVE-ID : CVE-2017-0379
Package : lib32-libgcrypt
Type : private key recovery
Remote : No
Link : https://security.archlinux.org/AVG-403
The package lib32-libgcrypt before version 1.8.1-1 is vulnerable to
private key recovery.
Upgrade to 1.8.1-1.
The problem has been fixed upstream in version 1.8.1.
None.
Libgcrypt before 1.8.1 does not properly consider Curve25519 side-
channel attacks, which makes it easier for attackers to discover a
secret key, related to cipher/ecc.c and mpi/ec.c. On multi user systems
or on boxes with virtual machines this attack may be used to steal
private keys.
On a multi user system or on boxes with virtual machines a local
attacker may be able to perform a side-channel attack to steal private
keys.
https://lists.gnupg.org/pipermail/gnupg-announce/2017q3/000414.html
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff;h=bf76acbf0da6b0f245e491bec12c0f0a1b5be7c9
https://eprint.iacr.org/2017/806
https://security.archlinux.org/CVE-2017-0379
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | lib32-libgcrypt | < 1.8.1-1 | UNKNOWN |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
74.6%