Libgcrypt update released to fix local side-channel attack Reference:

CERT.be Advisory

Reference: CERT.be Advisory #2017-001
CVE ID: cve-2017-7526
Version: 1.0
Affected software: Gnupg Libgcrypt versions : 1.7.7; 1.7.3; 1.6.6; 1.6.1; 1.6; 1.5.6; 1.5.4; 1.6.3; 1.6.2; 1.5.3; 1.5.2; 1.5.1; 1.5.0; 1.4.6; 1.4.5; 1.4.4; 1.4.3; 1.4.0
Type: Cryptography, side-channel attack

Risks

An attacker could exploit this vulnerability to obtain sensitive information that may aid in further attacks

Summary

Libgcrypt is a library of cryptographic building blocks, it is used for cryptographic tools and originally based on GnuPG.
This library is vulnerable to a side-channel attack allowing full key recovery for RSA-1024. The same attack is believed to work on RSA-2048 with moderately more computation.
Note that this side-channel attack requires that the attacker can run arbitrary software on the hardware where the private RSA key is used.
Note that RSA-1024 and RSA-1280 are widely used in some applications, such as DNSSEC .

Recommended action

The developers of GnuPG and Libgcrypt have released updates to remediate this vulnerability. Please patch your systems to Libgcrypt 1.7.8.

• Ubuntu: https://www.ubuntu.com/usn/usn-3347-1/
• Debian: https://www.debian.org/security/2017/dsa-3901
• Fedora: https://lists.fedoraproject.org/archives/list/[email protected]
• Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7526
• Suse 11: http://lists.suse.com/pipermail/sle-security-updates/2017-July/003013.html
• Suse 12: http://lists.suse.com/pipermail/sle-security-updates/2017-July/003014.html

Affected software that is also using this library is amongst others :
• Gpg4Win : https://gpg4win.org/change-history.html