CVE-2018-0495
Summary
| CVE | CVE-2018-0495 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2018-06-13 23:29:00 UTC |
|---|
| Updated | 2023-11-07 02:51:00 UTC |
|---|
| Description | Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| Red Hat Customer Portal |
REDHAT |
access.redhat.com |
Third Party Advisory |
| ⚓ T4011 CVE-2018-0495 |
MISC |
dev.gnupg.org |
Patch, Vendor Advisory |
| Red Hat Customer Portal |
REDHAT |
access.redhat.com |
|
| [Announce] Libgcrypt 1.8.3 and 1.7.10 to fix CVE-2018-0495 |
MISC |
lists.gnupg.org |
Vendor Advisory |
| git.gnupg.org Git - libgcrypt.git/commit |
|
git.gnupg.org |
|
| Red Hat Customer Portal |
REDHAT |
access.redhat.com |
Third Party Advisory |
| [SECURITY] [DLA 1405-1] libgcrypt20 security update |
MLIST |
lists.debian.org |
Mailing List, Third Party Advisory |
| Debian -- Security Information -- DSA-4231-1 libgcrypt20 |
DEBIAN |
www.debian.org |
Third Party Advisory |
| Libgcrypt ECDSA Signature Calculation Timing Flaw Lets Local Users Obtain Private DSA Keys on the Target System - SecurityTracker |
SECTRACK |
www.securitytracker.com |
Third Party Advisory, VDB Entry |
| USN-3689-1: Libgcrypt vulnerability | Ubuntu security notices |
UBUNTU |
usn.ubuntu.com |
Third Party Advisory |
| Red Hat Customer Portal |
REDHAT |
access.redhat.com |
|
| USN-3850-1: NSS vulnerabilities | Ubuntu security notices |
UBUNTU |
usn.ubuntu.com |
Third Party Advisory |
| www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-numbe... |
MISC |
www.nccgroup.trust |
Exploit, Third Party Advisory |
| Red Hat Customer Portal |
REDHAT |
access.redhat.com |
|
| git.gnupg.org Git - libgcrypt.git/commit |
MISC |
git.gnupg.org |
Patch, Vendor Advisory |
| USN-3850-2: NSS vulnerabilities | Ubuntu security notices |
UBUNTU |
usn.ubuntu.com |
Third Party Advisory |
| OpenBSD ECDSA Signature Calculation Timing Flaw Lets Local Users Obtain Private DSA Keys on the Target System - SecurityTracker |
SECTRACK |
www.securitytracker.com |
Third Party Advisory, VDB Entry |
| USN-3689-2: Libgcrypt vulnerability | Ubuntu security notices |
UBUNTU |
usn.ubuntu.com |
Third Party Advisory |
| USN-3692-1: OpenSSL vulnerabilities | Ubuntu security notices |
UBUNTU |
usn.ubuntu.com |
Third Party Advisory |
| Red Hat Customer Portal |
REDHAT |
access.redhat.com |
|
| USN-3692-2: OpenSSL vulnerabilities | Ubuntu security notices |
UBUNTU |
usn.ubuntu.com |
Third Party Advisory |
| Oracle Critical Patch Update Advisory - April 2019 |
MISC |
www.oracle.com |
Patch, Third Party Advisory |
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 296092 Oracle Solaris 11.4 Support Repository Update (SRU) 7.1.4 Missing (CPUJAN2019)
- 377300 Alibaba Cloud Linux Security Update for nss, nss-softokn, nss-util, and nspr (ALINUX2-SA-2019:0104)
- 500292 Alpine Linux Security Update for libgcrypt
- 500368 Alpine Linux Security Update for libressl
- 504058 Alpine Linux Security Update for libgcrypt
- 591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
- 690634 Free Berkeley Software Distribution (FreeBSD) Security Update for libgcrypt (9b5162de-6f39-11e8-818e-e8e0b747a45a)
