Red Hat Bugzilla – Bug 772132
CVE-2012-0390 GnuTLS 3.0.10 DTLS plaintext recovery attack
Last modified: 2012-01-11 14:46:01 EST
http://www.isg.rhul.ac.uk/~kp/dtls.pdf The DTLS implementation in GnuTLS 3.0.10 and earlier executes certain error-handling code only if there is a specific relationship between a padding length and the ciphertext size, which makes it easier for remote attackers to recover partial plaintext via a timing side-channel attack, a related issue to CVE-2011-4108. ----- Abstract from the paper: ----- The Datagram Transport Layer Security (DTLS) proto- col provides confidentiality and integrity of data exchanged between a client and a server. We describe an efficient and full plaintext recovery attack against the OpenSSL imple- mentation of DTLS, and a partial plaintext recovery attack against the GnuTLS implementation of DTLS. The attack against the OpenSSL implementation is a variant of Vaude- nay’s padding oracle attack and exploits small timing differ- ences arising during the cryptographic processing of DTLS packets. It would have been prevented if the OpenSSL im- plementation had been in accordance with the DTLS RFC. In contrast, the GnuTLS implementation does follow the DTLS RFC closely, but is still vulnerable to attack. The attacks require new insights to overcome the lack of error messages in DTLS and to amplify the timing differences. We discuss the reasons why these implementations are insecure, drawing lessons for secure protocol design and implemen- tation in general.
git clone git://git.savannah.gnu.org/gnutls.git cd gnutls git log wget http://ftp.gnu.org/gnu/gnutls/gnutls-3.0.10.tar.xz diff -ru gnutls-3.10.0/src/ gnutls/src/ http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=summary nothing fixed yet.
Created attachment 551088 [details] Plaintext-Recovery Attacks Against Datagram TLS
This is corrected in upstream 3.0.11 (GNUTLS-SA-2012-1): http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5657
Created attachment 551286 [details] GnuTLS 3.0.10 -> 3.0.11 diff patch with cruft removed diff -ru gnutls 3.0.10 and 3.0.11, removed all the docs/etc cruft.
Spent to long staring at 3.x code, got tunnel vision. 2.x doesn't support DTLS, therefore not affected.
(In reply to comment #5) > Created attachment 551286 [details] > GnuTLS 3.0.10 -> 3.0.11 diff patch with cruft removed > > diff -ru gnutls 3.0.10 and 3.0.11, removed all the docs/etc cruft. It seems only part of that is relevant to this issue. Upstream commit of the fix from one of the paper authors: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=35e26ca63c6da01db460d93e9c4bf86cd668534c
Statement: Not vulnerable. This issue did not affect the versions of gnutls as shipped with Red Hat Enterprise Linux 4, 5 and 6 as they did not include support for DTLS.