2269228 – (CVE-2024-28834) CVE-2024-28834 gnutls: vulnerable to Minerva side-channel information leak

Bug 2269228 (CVE-2024-28834) - CVE-2024-28834 gnutls: vulnerable to Minerva side-channel information leak

Summary: CVE-2024-28834 gnutls: vulnerable to Minerva side-channel information leak

Keywords:
Status:	NEW
Alias:	CVE-2024-28834
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2270616
Blocks:	2269079
TreeView+	depends on / blocked

Reported:	2024-03-12 18:30 UTC by Robb Gatica
Modified:	2024-04-25 01:16 UTC (History)
CC List:	1 user (show)
Fixed In Version:	gnutls-3.8.4
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:1879	None	None	None	2024-04-18 02:18:45 UTC
Red Hat Product Errata	RHSA-2024:1997	None	None	None	2024-04-23 14:32:43 UTC
Red Hat Product Errata	RHSA-2024:2044	None	None	None	2024-04-25 01:16:41 UTC

Description Robb Gatica 2024-03-12 18:30:13 UTC

Embargoed issue reported upstream:

---

My team and I have tested GnuTLS and we found that it is vulnerable to the Minerva attack. GnuTLS on its own is not vulnerable but when we are using
the deterministic code we can see a step from 513 K-bit-size to 512 K-bit-size.

The test scenario is that we are signing random messages using the gnutls_privkey_sign_data2 API function using "GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE" flag. Then using the private key, we extract the K value from the signatures. After that, based on the bit size of the extracted nonce we compare full-sized nonces to smaller ones and use the statistical tests to compare the signature times.

For testing, we used gnutls-3.7.6-23.el9.x86_64 and gnutls-devel-3.7.6-23.el9.x86_64

In these results, we can clearly see that there is a "step" from nonce size of 513 bits to nonce size of 512 bits. The size of this side channel is
around 34 ns. The sample tested has 43,190,069 observations.

Reference: https://minerva.crocs.fi.muni.cz

Comment 3 Sandipan Roy 2024-03-21 05:50:50 UTC

Created gnutls tracking bugs for this issue:

Affects: fedora-all [bug 2270616]

Comment 5 errata-xmlrpc 2024-04-18 02:18:45 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1879 https://access.redhat.com/errata/RHSA-2024:1879

Comment 6 errata-xmlrpc 2024-04-23 14:32:42 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1997 https://access.redhat.com/errata/RHSA-2024:1997

Comment 7 errata-xmlrpc 2024-04-25 01:16:40 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:2044 https://access.redhat.com/errata/RHSA-2024:2044

Note You need to log in before you can comment on or make changes to this bug.