Vulnerability CVE-2017-9526

Vulnerability Name:

CVE-2017-9526 (CCN-127192)

Assigned:

2017-06-02

Published:

2017-06-02

Updated:

2019-01-16

Summary:

In Libgcrypt before 1.7.7, an attacker who learns the EdDSA session key (from side-channel observation during the signing process) can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this session key in secure memory, to ensure that constant-time point operations are used in the MPI library.

CVSS v3 Severity:

5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.4 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-200

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2017-9526

Source: DEBIAN
Type: UNKNOWN
DSA-3880

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Source: BID
Type: Third Party Advisory, VDB Entry
99046

Source: CCN
Type: BID-99046
Libgcrypt 'cipher/ecc-eddsa.c' Information Disclosure Vulnerability

Source: CCN
Type: Bugzilla Bug 1042326
CVE-2017-9526) VUL-0: CVE-2017-9526: libgcrypt: timing attack on EdDSA session key

Source: CONFIRM
Type: Issue Tracking, Patch
https://bugzilla.suse.com/show_bug.cgi?id=1042326

Source: XF
Type: UNKNOWN
libgcrypt-cve20179526-info-disc(127192)

Source: CCN
Type: Libgcrypt GIT Repository
ecc: Store EdDSA session key in secure memory.

Source: CONFIRM
Type: Issue Tracking, Patch, Third Party Advisory
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=5a22de904a0a366ae79f03ff1e13a1232a89e26b

Source: CONFIRM
Type: Issue Tracking, Patch, Third Party Advisory
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=f9494b3f258e01b6af8bd3941ce436bcc00afc56

Source: CONFIRM
Type: UNKNOWN
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Vulnerable Configuration:

Configuration 1:

cpe:/a:gnupg:libgcrypt:*:*:*:*:*:*:*:* (Version <= 1.7.6)

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:42403	P	Security update for qemu (Important)	2022-07-04
oval:org.opensuse.security:def:20179526	V	CVE-2017-9526	2022-05-20
oval:org.opensuse.security:def:42334	P	Security update for glibc (Important)	2022-02-04
oval:org.opensuse.security:def:57545	P	Security update for xorg-x11-server (Important)	2021-12-20
oval:org.opensuse.security:def:57140	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:57139	P	Security update for webkit2gtk3 (Important)	2021-12-01
oval:org.opensuse.security:def:20534	P	Security update for the Linux Kernel (Live Patch 12 for SLE 12 SP5) (Important)	2021-11-17
oval:org.opensuse.security:def:42225	P	Security update for the Linux Kernel (Important)	2021-10-12
oval:org.opensuse.security:def:57999	P	Security update for aspell (Important)	2021-08-25
oval:org.opensuse.security:def:20496	P	Security update for the Linux Kernel (Live Patch 15 for SLE 12 SP5) (Important)	2021-08-17
oval:org.opensuse.security:def:14743	P	python-PyYAML-3.12-26.6.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14932	P	java-1_7_1-ibm-1.7.1_sr4.50-38.41.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14639	P	libotr5-4.0.0-9.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:15033	P	libmysqlclient18-10.0.40.1-2.9.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14794	P	vorbis-tools-1.4.0-26.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14959	P	libXi6-1.7.4-18.6.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14647	P	libpolkit0-0.113-5.12.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14814	P	zoo-2.10-1020.56 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:15006	P	libidn-tools-1.28-5.6.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14673	P	libtag1-1.9.1-1.218 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14838	P	autofs-5.1.3-1.17 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:15017	P	libkde4-32bit-4.12.0-10.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:20283	P	Security update for the Linux Kernel (Live Patch 16 for SLE 12 SP4) (Important)	2021-07-27
oval:org.opensuse.security:def:20275	P	Security update for the Linux Kernel (Live Patch 16 for SLE 12 SP4) (Important)	2021-07-15
oval:org.opensuse.security:def:20462	P	Security update for the Linux Kernel (Live Patch 7 for SLE 12 SP5) (Important)	2021-07-14
oval:org.opensuse.security:def:12134	P	gstreamer-0_10-plugins-good-0.10.31-16.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12268	P	libspice-server1-0.12.8-1.17 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:17200	P	libraw9-0.15.4-3.88 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:42505	P	clamav-0.98.7-0.3.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12019	P	sudo-1.8.10p3-6.16 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12149	P	iputils-s20121221-2.19 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:17285	P	libwmf-0_2-7-0.2.8.4-242.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12310	P	p7zip-9.20.1-6.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:15671	P	libxml2-devel-2.9.1-6.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:17158	P	cyrus-sasl-digestmd5-32bit-2.1.26-7.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:42681	P	ppp-2.4.5.git-2.29.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12041	P	xen-4.7.0_12-23.4 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12168	P	libXcursor1-1.1.14-3.60 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12319	P	perl-HTML-Parser-3.71-1.178 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:15694	P	rhythmbox-3.0.2-1.92 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:42745	P	xorg-x11-libs-32bit-7.4-8.26.44.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12087	P	curl-7.37.0-36.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12243	P	libpango-1_0-0-1.40.1-9.5 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:17166	P	gegl-0_2-0.2.0-14.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12011	P	rsyslog-8.4.0-14.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12332	P	python-libxml2-2.9.4-45.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:42073	P	Security update for lz4 (Important)	2021-05-19
oval:org.opensuse.security:def:38779	P	Security update for cups (Important)	2021-04-30
oval:org.opensuse.security:def:42797	P	Security update for openldap2 (Important)	2021-04-16
oval:org.opensuse.security:def:54783	P	Security update for sudo (Important)	2021-03-24
oval:org.opensuse.security:def:21411	P	Security update for bind (Important)	2021-02-18
oval:org.opensuse.security:def:57162	P	Security update for the Linux Kernel (Important)	2021-02-12
oval:org.opensuse.security:def:20318	P	Security update for the Linux Kernel (Live Patch 12 for SLE 12 SP4) (Important)	2021-02-10
oval:org.opensuse.security:def:20646	P	Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork (Important)	2020-12-28
oval:org.opensuse.security:def:54691	P	Security update for python (Important)	2020-12-11
oval:org.opensuse.security:def:57829	P	Security update for mutt (Important)	2020-12-07
oval:org.opensuse.security:def:12970	P	libass5-0.10.2-3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:12992	P	libgoa-1_0-0-3.20.8-10.4.50 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:41969	P	gtk2-2.18.9-0.4.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:17342	P	libgio-fam-2.48.2-12.15.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:41970	P	gvim-7.2-8.8 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:17373	P	libwmf-0_2-7-0.2.8.4-242.3 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:41981	P	krb5-1.6.3-133.27.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:57720	P	gdk-pixbuf-lang on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:58395	P	Security update for log4j (Important)	2020-12-01
oval:org.opensuse.security:def:53452	P	Security update for php7 (Moderate)	2020-12-01
oval:org.opensuse.security:def:54976	P	pam_ssh on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:39114	P	libpcrecpp0-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17409	P	Security update for python3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:42842	P	Security update for graphite2 (Important)	2020-12-01
oval:org.opensuse.security:def:43605	P	Security update for libgcrypt (Moderate)	2020-12-01
oval:org.opensuse.security:def:58488	P	Security update for libgcrypt (Moderate)	2020-12-01
oval:org.opensuse.security:def:58635	P	Security update for java-1_7_1-ibm (Moderate)	2020-12-01
oval:org.opensuse.security:def:53453	P	Security update for nodejs8 (Critical)	2020-12-01
oval:org.opensuse.security:def:54026	P	libgcrypt20 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38528	P	yast2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38939	P	argyllcms on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17620	P	Security update for libwmf (Moderate)	2020-12-01
oval:org.opensuse.security:def:20737	P	Security update for the Linux Kernel (Live Patch 26 for SLE 12 SP1) (Important)	2020-12-01
oval:org.opensuse.security:def:21437	P	Security update for libgcrypt (Moderate)	2020-12-01
oval:org.opensuse.security:def:56252	P	Security update for bind (Moderate)	2020-12-01
oval:org.opensuse.security:def:38295	P	libgraphite2-3 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:39159	P	evolution on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17519	P	Security update for python, python-base, python-doc (Moderate)	2020-12-01
oval:org.opensuse.security:def:42871	P	Security update for the Linux Kernel (Live Patch 25 for SLE 12 SP1) (Important)	2020-12-01
oval:org.opensuse.security:def:58564	P	Security update for tcpdump (Moderate)	2020-12-01
oval:org.opensuse.security:def:58710	P	Security update for libgcrypt (Moderate)	2020-12-01
oval:org.opensuse.security:def:53475	P	Security update for dpdk (Moderate)	2020-12-01
oval:org.opensuse.security:def:54132	P	unixODBC on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38296	P	libgssglue1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38631	P	krb5-appl-clients on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38998	P	NetworkManager on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17642	P	Security update for gcc48 (Moderate)	2020-12-01
oval:org.opensuse.security:def:57306	P	Security update for cabextract	2020-12-01
oval:org.opensuse.security:def:20749	P	Security update to ucode-intel (Important)	2020-12-01
oval:org.opensuse.security:def:54857	P	libevent-2_0-5 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56326	P	Security update for libgcrypt (Moderate)	2020-12-01
oval:org.opensuse.security:def:39047	P	libsilc-1_1-2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:39797	P	Security update for minicom (Moderate)	2020-12-01
oval:org.opensuse.security:def:17551	P	Security update for webkitgtk (Moderate)	2020-12-01
oval:org.opensuse.security:def:42922	P	Security update for the Linux Kernel (Live Patch 26 for SLE 12 SP1) (Important)	2020-12-01
oval:org.opensuse.security:def:20404	P	Security update for gstreamer-plugins-good (Important)	2020-12-01
oval:org.opensuse.security:def:58602	P	Security update for libapr-util1 (Moderate)	2020-12-01
oval:org.opensuse.security:def:53615	P	Security update for openldap2 (Important)	2020-12-01
oval:org.opensuse.security:def:54298	P	libpoppler-glib8 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38307	P	libjavascriptcoregtk-3_0-0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38689	P	libjson-c2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:18280	P	Security update for libtirpc (Important)	2020-12-01
oval:org.opensuse.security:def:58285	P	Security update for adns (Important)	2020-12-01
oval:org.opensuse.security:def:20773	P	Security update for java-1_7_1-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:54895	P	libndp0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:39086	P	gstreamer-0_10-plugins-good on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:39839	P	Security update for libgcrypt (Moderate)	2020-12-01
oval:org.opensuse.security:def:43560	P	Security update for minicom (Moderate)	2020-12-01
oval:org.opensuse.security:def:20679	P	Security update for libtirpc (Important)	2020-12-01
oval:org.opensuse.security:def:58685	P	Security update for git (Moderate)	2020-12-01
oval:org.opensuse.security:def:53853	P	Security update for openconnect (Moderate)	2020-12-01
oval:org.opensuse.security:def:54583	P	libpango-1_0-0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38391	P	libvirglrenderer0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17608	P	Security update for libyaml (Moderate)	2020-12-01
oval:org.opensuse.security:def:18306	P	Security update for libgcrypt (Moderate)	2020-12-01
oval:org.opensuse.security:def:78960	P	Security update for libgcrypt (Moderate)	2017-06-19
oval:org.opensuse.security:def:81420	P	Security update for libgcrypt (Moderate)	2017-06-19
oval:com.ubuntu.bionic:def:201795260000000	V	CVE-2017-9526 on Ubuntu 18.04 LTS (bionic) - low.	2017-06-11
oval:com.ubuntu.xenial:def:201795260000000	V	CVE-2017-9526 on Ubuntu 16.04 LTS (xenial) - low.	2017-06-11
oval:com.ubuntu.disco:def:201795260000000	V	CVE-2017-9526 on Ubuntu 19.04 (disco) - low.	2017-06-11
oval:com.ubuntu.artful:def:20179526000	V	CVE-2017-9526 on Ubuntu 17.10 (artful) - low.	2017-06-10
oval:com.ubuntu.xenial:def:20179526000	V	CVE-2017-9526 on Ubuntu 16.04 LTS (xenial) - low.	2017-06-10
oval:com.ubuntu.bionic:def:20179526000	V	CVE-2017-9526 on Ubuntu 18.04 LTS (bionic) - low.	2017-06-10
oval:com.ubuntu.cosmic:def:20179526000	V	CVE-2017-9526 on Ubuntu 18.10 (cosmic) - low.	2017-06-10
oval:com.ubuntu.cosmic:def:201795260000000	V	CVE-2017-9526 on Ubuntu 18.10 (cosmic) - low.	2017-06-10
oval:com.ubuntu.trusty:def:20179526000	V	CVE-2017-9526 on Ubuntu 14.04 LTS (trusty) - low.	2017-06-10

BACK