Vulnerability CVE-2017-0379

Vulnerability Name:

CVE-2017-0379 (CCN-131281)

Assigned:

2016-11-29

Published:

2017-08-27

Updated:

2019-01-16

Summary:

Libgcrypt before 1.8.1 does not properly consider Curve25519 side-channel attacks, which makes it easier for attackers to discover a secret key, related to cipher/ecc.c and mpi/ec.c.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

2.9 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
2.6 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

1.2 Low (CCN CVSS v2 Vector: AV:L/AC:H/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-200

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2017-0379

Source: CCN
Type: IBM Security Bulletin 716653 (Cloud Private)
Multiple Security Vulnerabilities affect IBM Cloud Private

Source: CCN
Type: Oracle CPUJan2019
Oracle Critical Patch Update Advisory - January 2019

Source: CCN
Type: Oracle CPUJul2018
Oracle Critical Patch Update Advisory - July 2018

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Source: BID
Type: Third Party Advisory, VDB Entry
100503

Source: CCN
Type: BID-100503
libgcrypt CVE-2017-0379 Information Disclosure Vulnerability

Source: SECTRACK
Type: UNKNOWN
1041294

Source: MISC
Type: Issue Tracking, Third Party Advisory
https://bugs.debian.org/873383

Source: CCN
Type: Debian Bug report logs - #873383
libgcrypt20: CVE-2017-0379: side-channel attack on Curve25519

Source: MISC
Type: Mailing List, Third Party Advisory
https://eprint.iacr.org/2017/806

Source: XF
Type: UNKNOWN
libgcrypt-cve20170379-info-disc(131281)

Source: MISC
Type: Issue Tracking, Patch, Third Party Advisory
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=da780c8183cccc8f533c8ace8211ac2cb2bdee7b

Source: CCN
Type: libgcrypt Web site
index

Source: MISC
Type: Mailing List, Patch, Third Party Advisory
https://lists.debian.org/debian-security-announce/2017/msg00221.html

Source: MISC
Type: Patch, Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2017-0379

Source: CONFIRM
Type: UNKNOWN
https://security.netapp.com/advisory/ntap-20180726-0002/

Source: DEBIAN
Type: Patch, Third Party Advisory
DSA-3959

Source: CONFIRM
Type: UNKNOWN
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2017-0379

Vulnerable Configuration:

Configuration 1:

cpe:/a:gnupg:libgcrypt:*:*:*:*:*:*:*:* (Version <= 1.8.0)

Configuration 2:

cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:gnupg:libgcrypt:1.7.6:*:*:*:*:*:*:*

AND

cpe:/a:oracle:communications_webrtc_session_controller:7.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_private:2.1.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20170379	V	CVE-2017-0379	2023-06-22
oval:org.opensuse.security:def:7592	P	libgcrypt-devel-1.9.4-150500.10.19 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:727	P	Security update for curl (Low)	2022-09-02
oval:org.opensuse.security:def:426	P	Security update for canna (Important)	2022-08-16
oval:org.opensuse.security:def:3007	P	apache-commons-beanutils-1.9.2-3.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94637	P	libgcrypt-devel-1.9.4-150400.4.6 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:134	P	libgcrypt-devel-1.8.2-8.36.1 on GA media (Moderate)	2022-06-13
oval:org.opensuse.security:def:142	P	libjansson-devel-2.9-1.24 on GA media (Moderate)	2022-06-13
oval:org.opensuse.security:def:1063	P	Security update for MozillaFirefox (Important)	2022-01-20
oval:org.opensuse.security:def:112636	P	libgcrypt-cavs-1.9.4-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:106117	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:69819	P	Security update for net-snmp (Important)	2022-01-11
oval:org.opensuse.security:def:93783	P	(Moderate)	2021-12-16
oval:org.opensuse.security:def:67573	P	Security update for the Linux Kernel (Important)	2021-11-11
oval:org.opensuse.security:def:96635	P	libgcrypt-devel-1.8.2-6.7 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:103325	P	libgcrypt-devel-1.8.2-6.7 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:89670	P	libgcrypt-devel-1.8.2-6.7 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:71256	P	libgcrypt-devel-1.8.2-6.7 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:61515	P	libgcrypt-devel-1.8.2-6.7 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:69714	P	Security update for djvulibre (Important)	2021-08-20
oval:org.opensuse.security:def:47648	P	jakarta-commons-fileupload-1.1.1-120.113 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:46992	P	libXfixes3-32bit-5.0.1-3.53 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:46947	P	gdm-3.10.0.1-52.5 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47891	P	squid-3.5.21-26.9.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47946	P	apache-commons-beanutils-1.9.2-3.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47216	P	binutils-2.26.1-9.12.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:46962	P	guestfs-data-1.32.4-14.18 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48073	P	libXcursor1-1.1.14-4.6.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47578	P	cpio-2.11-36.3.4 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47276	P	gstreamer-1.8.3-9.5 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48175	P	libpolkit0-0.113-5.18.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47724	P	libjasper1-1.900.14-195.8.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47500	P	shim-0.9-23.14 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47820	P	libzip2-0.11.1-13.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47862	P	python-2.7.13-28.11.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47124	P	perl-HTML-Parser-3.71-1.145 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:46948	P	ghostscript-9.15-6.5 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48008	P	fontconfig-2.11.1-7.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47364	P	libjpeg-turbo-1.3.1-30.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47083	P	libtag1-1.9.1-1.218 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48104	P	libdjvulibre21-3.5.25.3-5.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47662	P	libFLAC++6-1.3.0-11.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47408	P	libsnmp30-32bit-5.7.3-4.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47789	P	libsrtp1-1.5.2-3.2.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:71893	P	libgcrypt-devel-1.8.2-8.36.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62152	P	libgcrypt-devel-1.8.2-8.36.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:100910	P	libgcrypt-devel-1.8.2-8.36.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:48583	P	openssh-7.2p2-55.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48867	P	libproxy1-networkmanager-32bit-0.4.13-16.6 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46664	P	glib2-lang-2.38.2-5.12 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:70972	P	libgcrypt-devel-1.8.2-4.5 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46799	P	opensc-0.13.0-1.122 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:71026	P	libsoup-2_4-1-2.62.2-1.9 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48529	P	libnm-glib-vpn1-1.0.12-8.6 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:61231	P	libgcrypt-devel-1.8.2-4.5 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:70913	P	glibc-2.26-11.8 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46663	P	git-core-1.8.5.6-11.10 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48813	P	pulseaudio-module-bluetooth-5.0-2.7 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46678	P	hplip-3.14.6-3.14 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:61816	P	libgcrypt-devel-1.8.2-8.36.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:100496	P	libgcrypt-devel-1.8.2-8.36.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:107162	P	libgcrypt-devel-1.8.2-8.36.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:116720	P	libgcrypt-devel-1.8.2-8.36.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:71557	P	libgcrypt-devel-1.8.2-8.36.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:49114	P	gstreamer on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:66463	P	libgcrypt-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64239	P	dhcp on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:67673	P	libgcrypt-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49168	P	libgcrypt-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:66371	P	cups-filters on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:73154	P	libgcrypt-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64326	P	libgcrypt-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:73036	P	augeas on GA media (Moderate)	2020-12-01
oval:com.ubuntu.trusty:def:20170379000	V	CVE-2017-0379 on Ubuntu 14.04 LTS (trusty) - medium.	2017-08-29
oval:com.ubuntu.xenial:def:20170379000	V	CVE-2017-0379 on Ubuntu 16.04 LTS (xenial) - medium.	2017-08-29
oval:com.ubuntu.xenial:def:201703790000000	V	CVE-2017-0379 on Ubuntu 16.04 LTS (xenial) - medium.	2017-08-29

BACK