Bug 2162596 (CVE-2023-0361)

Summary: CVE-2023-0361 gnutls: timing side-channel in the TLS RSA key exchange code
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: atorresj, dueno, hkario, kyoshida, rh-spice-bugs, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A timing side-channel vulnerability was found in RSA ClientKeyExchange messages in GnuTLS. This side-channel may be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-04-04 13:24:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2169607, 2162598, 2162599, 2162600, 2162601, 2162602, 2169608, 2169609, 2169610, 2169951, 2191733    
Bug Blocks: 2161844    

Description Sandipan Roy 2023-01-20 06:22:20 UTC 
The time for GnuTLS to respond to malformed RSA ciphertexts in ClientKeyExchange depends on kind of error in the RSA padding.

Generally, it looks like the response time depends on size of encrypted data in the PKCS#1 v1.5 encrypted data.

I've run tests with 1 million connections per probe, on a 2.4GHz skylake CPU with 1024 bit RSA key, the two probes with most dissimilar results were "too long (49-byte) pre master secret" and "invalid MAC in Finished on pos 0", it takes the server an extra 58.5ns to respond one over the other. This is with a 95% confidence interval of +-6.8ns.

Exact results of Wilcoxon signed-rank tests are in this report.csv file, you can find explanation of the plaintexts sent by those probes in https://github.com/tomato42/tlsfuzzer/pull/679
Comment 3 Sandipan Roy 2023-02-14 04:24:13 UTC 
Created gnutls tracking bugs for this issue:

Affects: fedora-all [bug 2169608]


Created mingw-gnutls tracking bugs for this issue:

Affects: fedora-all [bug 2169609]


Created mod_gnutls tracking bugs for this issue:

Affects: epel-all [bug 2169607]
Affects: fedora-all [bug 2169610]
Comment 6 errata-xmlrpc 2023-03-07 13:47:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1141 https://access.redhat.com/errata/RHSA-2023:1141
Comment 7 errata-xmlrpc 2023-03-14 13:53:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1200 https://access.redhat.com/errata/RHSA-2023:1200
Comment 8 errata-xmlrpc 2023-04-04 09:22:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1569 https://access.redhat.com/errata/RHSA-2023:1569
Comment 9 Product Security DevOps Team 2023-04-04 13:24:06 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-0361
Comment 10 errata-xmlrpc 2023-05-31 08:44:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:3361 https://access.redhat.com/errata/RHSA-2023:3361