Bug 2162596 (CVE-2023-0361) - CVE-2023-0361 gnutls: timing side-channel in the TLS RSA key exchange code
Summary: CVE-2023-0361 gnutls: timing side-channel in the TLS RSA key exchange code
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-0361
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2169607 2162598 2162599 2162600 2162601 2162602 2169608 2169609 2169610 2169951 2191733
Blocks: 2161844
TreeView+ depends on / blocked
 
Reported: 2023-01-20 06:22 UTC by Sandipan Roy
Modified: 2023-09-26 21:16 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A timing side-channel vulnerability was found in RSA ClientKeyExchange messages in GnuTLS. This side-channel may be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.
Clone Of:
Environment:
Last Closed: 2023-04-04 13:24:09 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:1141 0 None None None 2023-03-07 13:47:07 UTC
Red Hat Product Errata RHSA-2023:1200 0 None None None 2023-03-14 13:53:20 UTC
Red Hat Product Errata RHSA-2023:1569 0 None None None 2023-04-04 09:22:28 UTC
Red Hat Product Errata RHSA-2023:3361 0 None None None 2023-05-31 08:44:46 UTC

Description Sandipan Roy 2023-01-20 06:22:20 UTC 
The time for GnuTLS to respond to malformed RSA ciphertexts in ClientKeyExchange depends on kind of error in the RSA padding.

Generally, it looks like the response time depends on size of encrypted data in the PKCS#1 v1.5 encrypted data.

I've run tests with 1 million connections per probe, on a 2.4GHz skylake CPU with 1024 bit RSA key, the two probes with most dissimilar results were "too long (49-byte) pre master secret" and "invalid MAC in Finished on pos 0", it takes the server an extra 58.5ns to respond one over the other. This is with a 95% confidence interval of +-6.8ns.

Exact results of Wilcoxon signed-rank tests are in this report.csv file, you can find explanation of the plaintexts sent by those probes in https://github.com/tomato42/tlsfuzzer/pull/679
Comment 3 Sandipan Roy 2023-02-14 04:24:13 UTC 
Created gnutls tracking bugs for this issue:

Affects: fedora-all [bug 2169608]


Created mingw-gnutls tracking bugs for this issue:

Affects: fedora-all [bug 2169609]


Created mod_gnutls tracking bugs for this issue:

Affects: epel-all [bug 2169607]
Affects: fedora-all [bug 2169610]
Comment 6 errata-xmlrpc 2023-03-07 13:47:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1141 https://access.redhat.com/errata/RHSA-2023:1141
Comment 7 errata-xmlrpc 2023-03-14 13:53:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1200 https://access.redhat.com/errata/RHSA-2023:1200
Comment 8 errata-xmlrpc 2023-04-04 09:22:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1569 https://access.redhat.com/errata/RHSA-2023:1569
Comment 9 Product Security DevOps Team 2023-04-04 13:24:06 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-0361
Comment 10 errata-xmlrpc 2023-05-31 08:44:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:3361 https://access.redhat.com/errata/RHSA-2023:3361
Note You need to log in before you can comment on or make changes to this bug.