Bug 2238677 (CVE-2023-4421)

Summary: CVE-2023-4421 nss: new tlsfuzzer code can still detect timing issues in RSA operations
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, caswilli, fjansen, hkario, hkataria, jburrell, jsamir, kaycoth, kshier, sthirugn, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nss 3.61 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in NSS. The interface between the cryptographic library (the softokn) and the rest of NSS is using PKCS#11, and the error reporting (erroring out when the PKCS#1 v1.5 padding checks fail) that PKCS#11 requires is very noisy, making it easy to detect over the network.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2238706    
Bug Blocks: 2238675    

Description Dhananjay Arunesh 2023-09-13 06:31:55 UTC 
This patch defeats Bleichenbacher by not trying to hide the size of the
decrypted text, but to hide if the text succeeded for failed. This is done
by generating a fake returned text that's based on the key and the cipher text,
so the fake data is always the same for the same key and cipher text. Both the
length and the plain text are generated with a prf.

References:
https://hg.mozilla.org/projects/nss/rev/fc05574c739947d615ab0b2b2b564f01c922eccd
Comment 1 Dhananjay Arunesh 2023-09-13 09:41:03 UTC 
Created nss tracking bugs for this issue:

Affects: fedora-all [bug 2238706]