Bug 772132 (CVE-2012-0390)

Summary: CVE-2012-0390 gnutls: DTLS plaintext recovery attack
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jorton, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gnutls 3.0.11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-08 06:19:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 772134    
Attachments:
Description Flags
Plaintext-Recovery Attacks Against Datagram TLS
none
GnuTLS 3.0.10 -> 3.0.11 diff patch with cruft removed none

Description Kurt Seifried 2012-01-06 05:09:56 UTC 
http://www.isg.rhul.ac.uk/~kp/dtls.pdf

The DTLS implementation in GnuTLS 3.0.10 and earlier executes certain
error-handling code only if there is a specific relationship between a
padding length and the ciphertext size, which makes it easier for
remote attackers to recover partial plaintext via a timing
side-channel attack, a related issue to CVE-2011-4108.

-----
Abstract from the paper:
-----

The Datagram Transport Layer Security (DTLS) proto-
col provides confidentiality and integrity of data exchanged
between a client and a server. We describe an efficient and
full plaintext recovery attack against the OpenSSL imple-
mentation of DTLS, and a partial plaintext recovery attack
against the GnuTLS implementation of DTLS. The attack
against the OpenSSL implementation is a variant of Vaude-
nay’s padding oracle attack and exploits small timing differ-
ences arising during the cryptographic processing of DTLS
packets. It would have been prevented if the OpenSSL im-
plementation had been in accordance with the DTLS RFC.
In contrast, the GnuTLS implementation does follow the
DTLS RFC closely, but is still vulnerable to attack. The
attacks require new insights to overcome the lack of error
messages in DTLS and to amplify the timing differences. We
discuss the reasons why these implementations are insecure,
drawing lessons for secure protocol design and implemen-
tation in general.
Comment 1 Kurt Seifried 2012-01-06 05:37:38 UTC 
git clone git://git.savannah.gnu.org/gnutls.git
cd gnutls
git log

wget http://ftp.gnu.org/gnu/gnutls/gnutls-3.0.10.tar.xz
diff -ru gnutls-3.10.0/src/ gnutls/src/

http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=summary

nothing fixed yet.
Comment 2 Kurt Seifried 2012-01-06 05:41:58 UTC 
Created attachment 551088 [details]
Plaintext-Recovery Attacks Against Datagram TLS
Comment 4 Vincent Danen 2012-01-06 21:02:00 UTC 
This is corrected in upstream 3.0.11 (GNUTLS-SA-2012-1):

http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5657
Comment 5 Kurt Seifried 2012-01-06 21:52:59 UTC 
Created attachment 551286 [details]
GnuTLS 3.0.10 -> 3.0.11 diff patch with cruft removed

diff -ru gnutls 3.0.10 and 3.0.11, removed all the docs/etc cruft.
Comment 7 Kurt Seifried 2012-01-08 06:19:51 UTC 
Spent to long staring at 3.x code, got tunnel vision. 2.x doesn't support DTLS, therefore not affected.
Comment 8 Tomas Hoger 2012-01-10 09:39:36 UTC 
(In reply to comment #5)
> Created attachment 551286 [details]
> GnuTLS 3.0.10 -> 3.0.11 diff patch with cruft removed
> 
> diff -ru gnutls 3.0.10 and 3.0.11, removed all the docs/etc cruft.

It seems only part of that is relevant to this issue.  Upstream commit of the fix from one of the paper authors:

http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=35e26ca63c6da01db460d93e9c4bf86cd668534c
Comment 10 Vincent Danen 2012-01-11 19:46:01 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of gnutls as shipped with Red Hat Enterprise Linux 4, 5 and 6 as they did not include support for DTLS.