CVE-2014-5270

Libgcrypt < 1.5.4 - Side-Channel Key Extraction via Voltage Analysis

Title source: llm
STIX 2.1

Description

Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.

References (5)

Core 5
Core References
Patch, Vendor Advisory mailing-list x_refsource_mlist
http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2014/dsa-3073
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2014/08/16/2
Technical Description x_refsource_misc
http://www.cs.tau.ac.il/~tromer/handsoff/
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2014/dsa-3024

Scores

EPSS 0.0053
EPSS Percentile 41.0%

Details

CWE
CWE-200
Status published
Products (10)
debian/debian_linux 7.0
gnupg/libgcrypt 1.4.0
gnupg/libgcrypt 1.4.3
gnupg/libgcrypt 1.4.4
gnupg/libgcrypt 1.4.5
gnupg/libgcrypt 1.4.6
gnupg/libgcrypt 1.5.0
gnupg/libgcrypt 1.5.1
gnupg/libgcrypt 1.5.2
gnupg/libgcrypt < 1.5.3
Published Oct 10, 2014
Tracked Since Feb 18, 2026