CVE-2017-7526
gnupg - security update
6.8
MEDIUM
CVSS 3.1
EPSS 2.8%
Description
libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used.
How to fix CVE-2017-7526
To remediate CVE-2017-7526, upgrade the affected package to a fixed version below.
- —upgrade to 1.4.23-r0 or later
- —upgrade to 1.4.12-7+deb7u9 or later
- —upgrade to 1.4.18-7+deb8u4 or later
- —upgrade to 1.4.22-1 or later
- —upgrade to 1.5.0-5+deb7u6 or later
- —upgrade to 1.7.8-1 or later
- —upgrade to 1.6.3-2+deb8u4 or later
Is CVE-2017-7526 being exploited?
Low — EPSS is 2.8%, meaning exploitation activity has not been observed at scale.
Affected packages (7)
- from 0, < 1.4.23-r0
- from 0, < 1.4.12-7+deb7u9
- from 0, < 1.4.18-7+deb8u4
- from 0, < 1.4.22-1
- from 0, < 1.5.0-5+deb7u6
- from 0, < 1.7.8-1
- from 0, < 1.6.3-2+deb8u4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.8 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N |