Bug 908238 (CVE-2013-1619)

Summary: CVE-2013-1619 gnutls: TLS CBC padding timing attack (lucky-13)
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: erik-fedora, jorton, mike, rjones, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gnutls 2.12.23, gnutls 3.0.28, gnutls 3.1.7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-26 06:47:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 907983, 908418, 908419, 908441, 908443, 911072, 911073, 911076, 911077    
Bug Blocks: 907592    
Attachments:
Description Flags
gnutls 2.12.20 patch1
none
gnutls 2.12.20 patch2 none

Description Huzaifa S. Sidhpurwala 2013-02-06 08:47:41 UTC 
A flaw in how TLS/DTLS, when CBC-mode encryption is used, communicates was reported.  This vulnerability can allow for a Man-in-the-Middle attacker to recover plaintext from a TLS/DTLS connection, when CBC-mode encryption is used.

This flaw is in the TLS specification, and not a bug in a specific implementation (as such, it affects nearly all implementations).  As such, it affects all TLS and DTLS implementations that are compliant with TLS 1.1 or 1.2, or with DTLS 1.0 or 1.2.  It also applies to implementations of SSL 3.0 and TLS 1.0 that incorporate countermeasures to deal with previous padding oracle attacks.  All TLS/DTLS ciphersuites that include CBC-mode encryption are potentially vulnerable.

The paper indicates that with OpenSSL, a full plaintext recovery attack is possible, and with GnuTLS, a partial plaintext recovery is possible (recovering up to 4 bits of the last byte in any block of plaintext).

To perform a successful attack, when TLS is used, a large number of TLS sessions are required (target plaintext must be sent repeatedly in the same position in the plaintext stream across the sessions).  For DTLS, a successful attack can be carried out in a single session.  The attacker must also be located close to the machine being attacked.

Further details are noted in the paper:

http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

External References:

http://www.isg.rhul.ac.uk/tls/
http://www.gnutls.org/security.html#GNUTLS-SA-2013-1

Patches:

2.12.x:
https://gitorious.org/gnutls/gnutls/commit/458c67cf98740e7b12404f6c30e0d5317d56fd30
https://gitorious.org/gnutls/gnutls/commit/93b7fcfa3297a9123630704668b2946f602b910e

3.0.x:
https://gitorious.org/gnutls/gnutls/commit/8dc2822966f64dd9cf7dde9c7aacd80d49d3ffe5

3.2.x / master:
https://gitorious.org/gnutls/gnutls/commit/328ee22c1b3951e060c7124c7cb1cee592c59bc0
Comment 1 Vincent Danen 2013-02-06 16:32:24 UTC 
To clarify, this CVE is specifically for:

"The GnuTLS implementation of MEE-TLS-CBC deals with bad padding
in a different way to that recommended in the RFCs: instead of
assuming zero-length padding, it uses the last byte of plaintext
to determine how many plaintext bytes to remove (whether or not
those bytes are correctly formatted padding). ... This indicates
that ignoring the recommendations of the RFCs can have severe
security consequences."

Which is not quite the same as that described in comment #0 (that description is for CVE-2013-0169 which also affects GnuTLS).
Comment 2 Vincent Danen 2013-02-06 16:35:48 UTC 
Sorry, as per:

http://www.openwall.com/lists/oss-security/2013/02/06/1

CVE-2013-0169 does _not_ affect GnuTLS.
Comment 3 Vincent Danen 2013-02-06 16:42:57 UTC 
Created mingw32-gnutls tracking bugs for this issue

Affects: fedora-16 [bug 908418]
Affects: epel-5 [bug 908419]
Comment 4 Vincent Danen 2013-02-06 17:30:45 UTC 
Created mingw-gnutls tracking bugs for this issue

Affects: fedora-17 [bug 908441]
Comment 5 Vincent Danen 2013-02-06 17:32:16 UTC 
Created mingw-gnutls tracking bugs for this issue

Affects: fedora-18 [bug 908443]
Comment 6 Michael Cronenworth 2013-02-08 02:37:58 UTC 
Created attachment 694893 [details]
gnutls 2.12.20 patch1

The provided patches for 2.12.x do not apply against 2.12.20 (Fedora 17). I have modified them to apply.
Comment 7 Michael Cronenworth 2013-02-08 02:38:27 UTC 
Created attachment 694894 [details]
gnutls 2.12.20 patch2
Comment 8 Tomas Hoger 2013-02-08 09:24:01 UTC 
Write up from Nikos Mavrogiannopoulos, one of the GnuTLS authors:

http://nmav.gnutls.org/2013/02/time-is-money-for-cbc-ciphersuites.html
Comment 11 Fedora Update System 2013-02-17 03:26:24 UTC 
mingw-gnutls-2.12.22-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2013-02-17 03:31:00 UTC 
mingw-gnutls-2.12.20-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 errata-xmlrpc 2013-03-04 21:14:34 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:0588 https://rhn.redhat.com/errata/RHSA-2013-0588.html
Comment 14 Fedora Update System 2013-03-05 23:27:02 UTC 
gnutls-2.12.23-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2013-03-12 23:33:00 UTC 
libtasn1-2.14-1.fc17, gnutls-2.12.23-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 errata-xmlrpc 2013-03-13 14:48:06 UTC 
This issue has been addressed in following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2013:0636 https://rhn.redhat.com/errata/RHSA-2013-0636.html