|Summary:||CVE-2013-1619 gnutls: TLS CBC padding timing attack (lucky-13)|
|Product:||[Other] Security Response||Reporter:||Huzaifa S. Sidhpurwala <huzaifas>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||erik-fedora, jorton, mike, rjones, tmraz|
|Fixed In Version:||gnutls 2.12.23, gnutls 3.0.28, gnutls 3.1.7||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2013-03-26 06:47:40 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||907983, 908418, 908419, 908441, 908443, 911072, 911073, 911076, 911077|
Description Huzaifa S. Sidhpurwala 2013-02-06 08:47:41 UTC
A flaw in how TLS/DTLS, when CBC-mode encryption is used, communicates was reported. This vulnerability can allow for a Man-in-the-Middle attacker to recover plaintext from a TLS/DTLS connection, when CBC-mode encryption is used. This flaw is in the TLS specification, and not a bug in a specific implementation (as such, it affects nearly all implementations). As such, it affects all TLS and DTLS implementations that are compliant with TLS 1.1 or 1.2, or with DTLS 1.0 or 1.2. It also applies to implementations of SSL 3.0 and TLS 1.0 that incorporate countermeasures to deal with previous padding oracle attacks. All TLS/DTLS ciphersuites that include CBC-mode encryption are potentially vulnerable. The paper indicates that with OpenSSL, a full plaintext recovery attack is possible, and with GnuTLS, a partial plaintext recovery is possible (recovering up to 4 bits of the last byte in any block of plaintext). To perform a successful attack, when TLS is used, a large number of TLS sessions are required (target plaintext must be sent repeatedly in the same position in the plaintext stream across the sessions). For DTLS, a successful attack can be carried out in a single session. The attacker must also be located close to the machine being attacked. Further details are noted in the paper: http://www.isg.rhul.ac.uk/tls/TLStiming.pdf External References: http://www.isg.rhul.ac.uk/tls/ http://www.gnutls.org/security.html#GNUTLS-SA-2013-1 Patches: 2.12.x: https://gitorious.org/gnutls/gnutls/commit/458c67cf98740e7b12404f6c30e0d5317d56fd30 https://gitorious.org/gnutls/gnutls/commit/93b7fcfa3297a9123630704668b2946f602b910e 3.0.x: https://gitorious.org/gnutls/gnutls/commit/8dc2822966f64dd9cf7dde9c7aacd80d49d3ffe5 3.2.x / master: https://gitorious.org/gnutls/gnutls/commit/328ee22c1b3951e060c7124c7cb1cee592c59bc0
Comment 1 Vincent Danen 2013-02-06 16:32:24 UTC
To clarify, this CVE is specifically for: "The GnuTLS implementation of MEE-TLS-CBC deals with bad padding in a different way to that recommended in the RFCs: instead of assuming zero-length padding, it uses the last byte of plaintext to determine how many plaintext bytes to remove (whether or not those bytes are correctly formatted padding). ... This indicates that ignoring the recommendations of the RFCs can have severe security consequences." Which is not quite the same as that described in comment #0 (that description is for CVE-2013-0169 which also affects GnuTLS).
Comment 2 Vincent Danen 2013-02-06 16:35:48 UTC
Sorry, as per: http://www.openwall.com/lists/oss-security/2013/02/06/1 CVE-2013-0169 does _not_ affect GnuTLS.
Comment 3 Vincent Danen 2013-02-06 16:42:57 UTC
Created mingw32-gnutls tracking bugs for this issue Affects: fedora-16 [bug 908418] Affects: epel-5 [bug 908419]
Comment 4 Vincent Danen 2013-02-06 17:30:45 UTC
Created mingw-gnutls tracking bugs for this issue Affects: fedora-17 [bug 908441]
Comment 5 Vincent Danen 2013-02-06 17:32:16 UTC
Created mingw-gnutls tracking bugs for this issue Affects: fedora-18 [bug 908443]
Comment 6 Michael Cronenworth 2013-02-08 02:37:58 UTC
Created attachment 694893 [details] gnutls 2.12.20 patch1 The provided patches for 2.12.x do not apply against 2.12.20 (Fedora 17). I have modified them to apply.
Comment 7 Michael Cronenworth 2013-02-08 02:38:27 UTC
Created attachment 694894 [details] gnutls 2.12.20 patch2
Comment 8 Tomas Hoger 2013-02-08 09:24:01 UTC
Write up from Nikos Mavrogiannopoulos, one of the GnuTLS authors: http://nmav.gnutls.org/2013/02/time-is-money-for-cbc-ciphersuites.html
Comment 11 Fedora Update System 2013-02-17 03:26:24 UTC
mingw-gnutls-2.12.22-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2013-02-17 03:31:00 UTC
mingw-gnutls-2.12.20-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 errata-xmlrpc 2013-03-04 21:14:34 UTC
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2013:0588 https://rhn.redhat.com/errata/RHSA-2013-0588.html
Comment 14 Fedora Update System 2013-03-05 23:27:02 UTC
gnutls-2.12.23-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2013-03-12 23:33:00 UTC
libtasn1-2.14-1.fc17, gnutls-2.12.23-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.