Bug 1843723 (CVE-2020-13777)

Summary: CVE-2020-13777 gnutls: session resumption works without master key allowing MITM
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ansasaki, asosedki, baumanmo, cfergeau, crypto-team, darunesh, dueno, elima, erik-fedora, fidencio, hkario, jpauling, jv+fedora, marcandre.lureau, mike, nmavrogi, pspacek, rh-spice-bugs, rjones, security-response-team, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gnutls 3.6.14 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in GnuTLS, in versions starting from 3.6.4, where it does not session the ticket encryption key in a secure fashion by the application which is connecting. This flaw allows an attacker to craft a man-in-the-middle-attack, with the ability to bypass the TLS1.3 authentication and also recover older conversations when TLS1.2 is in use. The highest threat to this flaw is to confidentiality and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-22 11:20:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1843724, 1843725, 1843726, 1844145, 1844146, 1844147, 1844148, 1844149    
Bug Blocks: 1843649    

Description Guilherme de Almeida Suckevicz 2020-06-03 23:08:49 UTC 
GnuTLS servers are able to use tickets issued by each other without access to the secret key as generated by gnutls_session_ticket_key_generate(). In TLS 1.3 this allows a MITM server without valid credentials to resume sessions with a client that first established an initial connection with a server with valid credentials. In TLS 1.2, it may allow attackers to recover the previous conversations.

Reference:
https://gitlab.com/gnutls/gnutls/-/issues/1011
Comment 1 Guilherme de Almeida Suckevicz 2020-06-03 23:09:22 UTC 
Created gnutls tracking bugs for this issue:

Affects: fedora-all [bug 1843724]


Created gnutls30 tracking bugs for this issue:

Affects: epel-6 [bug 1843726]


Created mingw-gnutls tracking bugs for this issue:

Affects: fedora-all [bug 1843725]
Comment 4 Marco Benatto 2020-06-04 17:31:57 UTC 
Upstream commits for this issue:
https://gitlab.com/gnutls/gnutls/-/merge_requests/1275/diffs?commit_id=c2646aeee94e71cb15c90a3147cf3b5b0ca158ca
https://gitlab.com/gnutls/gnutls/-/merge_requests/1275/diffs?commit_id=3d7fae761e65e9d0f16d7247ee8a464d4fe002da
Comment 13 Marco Benatto 2020-06-05 17:11:00 UTC 
External References:

https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-06-03
Comment 15 Marco Benatto 2020-06-05 17:25:29 UTC 
Mitigation:

There's no available mitigation for this issue.
Comment 16 jwp@redhat.com 2020-06-08 20:38:13 UTC 
Does this affect RHEL8? - the version of gnutls shipped in rhel8 is gnutls-3.6.8-10

which would imply it does.
Comment 17 jwp@redhat.com 2020-06-08 21:22:53 UTC 
(In reply to jwp from comment #16)
> Does this affect RHEL8? - the version of gnutls shipped in rhel8 is
> gnutls-3.6.8-10
> 
> which would imply it does.

Answering my own question. Yes. Yes it does:

https://access.redhat.com/security/cve/CVE-2020-13777
 
I assume that anything that uses the rhel8 user-space (OCP4, CoreOS, OSP16) will likewise be affected?
Comment 18 jwp@redhat.com 2020-06-08 21:23:01 UTC 
(In reply to jwp from comment #16)
> Does this affect RHEL8? - the version of gnutls shipped in rhel8 is
> gnutls-3.6.8-10
> 
> which would imply it does.

Answering my own question. Yes. Yes it does:

https://access.redhat.com/security/cve/CVE-2020-13777
 
I assume that anything that uses the rhel8 user-space (OCP4, CoreOS, OSP16) will likewise be affected?
Comment 19 RaTasha Tillery-Smith 2020-06-18 17:54:07 UTC 
Statement:

GnuTLS versions as shipped with Red Hat Enterprise Linux 7 and earlier are not affected, as the bug was introduced in upstream at GnuTLS version 3.6.4. The older versions do not carry the affected code.
Comment 20 errata-xmlrpc 2020-06-22 06:38:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:2639 https://access.redhat.com/errata/RHSA-2020:2639
Comment 21 errata-xmlrpc 2020-06-22 06:44:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2638 https://access.redhat.com/errata/RHSA-2020:2638
Comment 22 errata-xmlrpc 2020-06-22 06:56:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2637 https://access.redhat.com/errata/RHSA-2020:2637
Comment 23 Product Security DevOps Team 2020-06-22 11:20:31 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-13777