Home Latest Cyber Security News | Network Security Hacking Critical Vulnerability Exists In Libgcrypt Software – Patch Rolled Out
Latest Cyber Security News | Network Security HackingNewsVulnerabilities

Critical Vulnerability Exists In Libgcrypt Software – Patch Rolled Out

by Abeerah Hashim
written by Abeerah Hashim
Libgcrypt software vulnerability

Developers behind the Libgcrypt software have deployed urgent fixes for a serious security vulnerability in the tool. Exploiting the flaw allows heap buffer overflow with malicious data from an adversary.

Libgcrypt Software Vulnerability

Google Project Zero security researcher Tavis Ormandy has publicly disclosed a critical vulnerability in Libgcrypt software.

Libgcrypt is basically a cryptographic library based on GNU Privacy Guard (GnuPG) code. It can serve as a separate GnuPG module or independently. Though, it relies on the GnuPG ‘libgpg-error’ error-reporting library.

Describing the details in a bug report, Ormandy stated that heap buffer overflow existed in the block buffer management code.

There is a heap buffer overflow in libgcrypt due to an incorrect assumption in the block buffer management code. Just decrypting some data can overflow a heap buffer with attacker controlled data, no verification or signature is validated before the vulnerability occurs.

He further stated that an adversary could easily exploit the bug.

It means that the vulnerability posed a serious threat to all users and required immediate attention.

Patch Released Immediately

Right after receiving the bug report, the Libgcrypt developers warned all users to instantly stop using the tool. As stated in their announcement,

A severe bug was reported yesterday evening against Libgcrypt 1.9.0 which we released last week.
In the meantime please stop using 1.9.0.

Besides, they rushed to develop a fix for the vulnerability. They then released the patch with a new version within few hours of the report.

So now, all those using Libgcrypt 1.9.0 should rush to update to the latest version 1.9.1. It not only includes the bug fix but also brings other improvements with it that the team has mentioned in detail in this advisory.

The developer Werner Koch has also confirmed that the critical vulnerability specifically affected version 1.9.0 only. It does not affect any other versions including the older ones.

If you are using the 1.8 LTS branch you are not affected.  While you are checking anyway please make sure that you have at least 1.8.5.

Nonetheless, since the patch is out, upgrading to the latest version is essential.

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

You may also like

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall...

Personal Data Exposed in Massive Global Hack: Understanding...

Guardz Welcomes SentinelOne as Strategic Partner and Investor...

Invision Community Vulnerabilities Risk E-Commerce Websites

Microsoft April Patch Tuesday Fixes Dozens of RCE...

Match Systems publishes report on the consequences of...

Cypago Announces New Automation Support for AI Security...

LayerSlider WordPress Plugin Vulnerability Affected Thousands Of Websites

OWASP Disclosed Data Breach Affecting Old Members

Center Identity Launches Patented Passwordless Authentication for Businesses