CVE-2018-0495

Name of the Vulnerable Software and Affected Versions Libgcrypt versions prior to 1.7.10 Libgcrypt versions 1.8.x prior to 1.8.3

Description The issue is related to the gcry ecc ecdsa sign function in the cipher/ecc-ecdsa.c file of the Libgcrypt cryptographic library. It allows an attacker to potentially guess the base parameters of a digital signature by iterating through cache values and evaluating the execution time of mathematical calculations. This could enable the attacker to recreate the private ECDSA and DSA keys used for creating the digital signature. Exploitation of this issue may allow an attacker with access to the local machine or a different virtual machine on the same physical host to gain unauthorized access to protected information.

Recommendations For Libgcrypt versions prior to 1.7.10, update to version 1.7.10 or later. For Libgcrypt versions 1.8.x prior to 1.8.3, update to version 1.8.3 or later. As a temporary workaround, consider using blinding during the signing process in the gcry ecc ecdsa sign function to mitigate the issue.