SB2017061616 - Side-channel attack in libgcrypt (Alpine package)
Published: June 16, 2017
Security Bulletin ID
SB2017061616
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Side-channel attack (CVE-ID: CVE-2017-9526)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.The vulnerability exists in libgcrypt's EdDSA implementation. An attacker who learns the EdDSA session key (from side-channel observation during the signing process) can easily recover the long-term secret key.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=f11d5afa3b8a26a5fef94feaf00c7a413ef0b62e
- https://git.alpinelinux.org/aports/commit/?id=03d53aaa064c5812651cd6cdad8018514d23fa04
- https://git.alpinelinux.org/aports/commit/?id=95b3d924de75435596c3a72e003dcdb160de6494
- https://git.alpinelinux.org/aports/commit/?id=b95bfcc998819366a8cadce0f079feda32c8c2ab