Bug 772132 (CVE-2012-0390) - CVE-2012-0390 gnutls: DTLS plaintext recovery attack
Summary: CVE-2012-0390 gnutls: DTLS plaintext recovery attack
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2012-0390
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 772134
TreeView+ depends on / blocked
 
Reported: 2012-01-06 05:09 UTC by Kurt Seifried
Modified: 2021-02-24 13:29 UTC (History)
2 users (show)

Fixed In Version: gnutls 3.0.11
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-01-08 06:19:51 UTC
Embargoed:


Attachments (Terms of Use)
Plaintext-Recovery Attacks Against Datagram TLS (496.07 KB, application/pdf)
2012-01-06 05:41 UTC, Kurt Seifried
no flags Details
GnuTLS 3.0.10 -> 3.0.11 diff patch with cruft removed (1.08 KB, patch)
2012-01-06 21:52 UTC, Kurt Seifried
no flags Details | Diff

Description Kurt Seifried 2012-01-06 05:09:56 UTC
http://www.isg.rhul.ac.uk/~kp/dtls.pdf

The DTLS implementation in GnuTLS 3.0.10 and earlier executes certain
error-handling code only if there is a specific relationship between a
padding length and the ciphertext size, which makes it easier for
remote attackers to recover partial plaintext via a timing
side-channel attack, a related issue to CVE-2011-4108.

-----
Abstract from the paper:
-----

The Datagram Transport Layer Security (DTLS) proto-
col provides confidentiality and integrity of data exchanged
between a client and a server. We describe an efficient and
full plaintext recovery attack against the OpenSSL imple-
mentation of DTLS, and a partial plaintext recovery attack
against the GnuTLS implementation of DTLS. The attack
against the OpenSSL implementation is a variant of Vaude-
nay’s padding oracle attack and exploits small timing differ-
ences arising during the cryptographic processing of DTLS
packets. It would have been prevented if the OpenSSL im-
plementation had been in accordance with the DTLS RFC.
In contrast, the GnuTLS implementation does follow the
DTLS RFC closely, but is still vulnerable to attack. The
attacks require new insights to overcome the lack of error
messages in DTLS and to amplify the timing differences. We
discuss the reasons why these implementations are insecure,
drawing lessons for secure protocol design and implemen-
tation in general.

Comment 1 Kurt Seifried 2012-01-06 05:37:38 UTC
git clone git://git.savannah.gnu.org/gnutls.git
cd gnutls
git log

wget http://ftp.gnu.org/gnu/gnutls/gnutls-3.0.10.tar.xz
diff -ru gnutls-3.10.0/src/ gnutls/src/

http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=summary

nothing fixed yet.

Comment 2 Kurt Seifried 2012-01-06 05:41:58 UTC
Created attachment 551088 [details]
Plaintext-Recovery Attacks Against Datagram TLS

Comment 4 Vincent Danen 2012-01-06 21:02:00 UTC
This is corrected in upstream 3.0.11 (GNUTLS-SA-2012-1):

http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5657

Comment 5 Kurt Seifried 2012-01-06 21:52:59 UTC
Created attachment 551286 [details]
GnuTLS 3.0.10 -> 3.0.11 diff patch with cruft removed

diff -ru gnutls 3.0.10 and 3.0.11, removed all the docs/etc cruft.

Comment 7 Kurt Seifried 2012-01-08 06:19:51 UTC
Spent to long staring at 3.x code, got tunnel vision. 2.x doesn't support DTLS, therefore not affected.

Comment 8 Tomas Hoger 2012-01-10 09:39:36 UTC
(In reply to comment #5)
> Created attachment 551286 [details]
> GnuTLS 3.0.10 -> 3.0.11 diff patch with cruft removed
> 
> diff -ru gnutls 3.0.10 and 3.0.11, removed all the docs/etc cruft.

It seems only part of that is relevant to this issue.  Upstream commit of the fix from one of the paper authors:

http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=35e26ca63c6da01db460d93e9c4bf86cd668534c

Comment 10 Vincent Danen 2012-01-11 19:46:01 UTC
Statement:

Not vulnerable. This issue did not affect the versions of gnutls as shipped with Red Hat Enterprise Linux 4, 5 and 6 as they did not include support for DTLS.


Note You need to log in before you can comment on or make changes to this bug.