Bug 908238 - (CVE-2013-1619) CVE-2013-1619 gnutls: TLS CBC padding timing attack (lucky-13)
CVE-2013-1619 gnutls: TLS CBC padding timing attack (lucky-13)
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130204,repor...
: Security
Depends On: 907983 908418 908419 908441 908443 911072 911073 911076 911077
Blocks: 907592
  Show dependency treegraph
 
Reported: 2013-02-06 03:47 EST by Huzaifa S. Sidhpurwala
Modified: 2015-11-24 10:26 EST (History)
5 users (show)

See Also:
Fixed In Version: gnutls 2.12.23, gnutls 3.0.28, gnutls 3.1.7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-03-26 02:47:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
gnutls 2.12.20 patch1 (5.43 KB, patch)
2013-02-07 21:37 EST, Michael Cronenworth
no flags Details | Diff
gnutls 2.12.20 patch2 (3.52 KB, patch)
2013-02-07 21:38 EST, Michael Cronenworth
no flags Details | Diff

  None (edit)
Description Huzaifa S. Sidhpurwala 2013-02-06 03:47:41 EST
A flaw in how TLS/DTLS, when CBC-mode encryption is used, communicates was reported.  This vulnerability can allow for a Man-in-the-Middle attacker to recover plaintext from a TLS/DTLS connection, when CBC-mode encryption is used.

This flaw is in the TLS specification, and not a bug in a specific implementation (as such, it affects nearly all implementations).  As such, it affects all TLS and DTLS implementations that are compliant with TLS 1.1 or 1.2, or with DTLS 1.0 or 1.2.  It also applies to implementations of SSL 3.0 and TLS 1.0 that incorporate countermeasures to deal with previous padding oracle attacks.  All TLS/DTLS ciphersuites that include CBC-mode encryption are potentially vulnerable.

The paper indicates that with OpenSSL, a full plaintext recovery attack is possible, and with GnuTLS, a partial plaintext recovery is possible (recovering up to 4 bits of the last byte in any block of plaintext).

To perform a successful attack, when TLS is used, a large number of TLS sessions are required (target plaintext must be sent repeatedly in the same position in the plaintext stream across the sessions).  For DTLS, a successful attack can be carried out in a single session.  The attacker must also be located close to the machine being attacked.

Further details are noted in the paper:

http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

External References:

http://www.isg.rhul.ac.uk/tls/
http://www.gnutls.org/security.html#GNUTLS-SA-2013-1

Patches:

2.12.x:
https://gitorious.org/gnutls/gnutls/commit/458c67cf98740e7b12404f6c30e0d5317d56fd30
https://gitorious.org/gnutls/gnutls/commit/93b7fcfa3297a9123630704668b2946f602b910e

3.0.x:
https://gitorious.org/gnutls/gnutls/commit/8dc2822966f64dd9cf7dde9c7aacd80d49d3ffe5

3.2.x / master:
https://gitorious.org/gnutls/gnutls/commit/328ee22c1b3951e060c7124c7cb1cee592c59bc0
Comment 1 Vincent Danen 2013-02-06 11:32:24 EST
To clarify, this CVE is specifically for:

"The GnuTLS implementation of MEE-TLS-CBC deals with bad padding
in a different way to that recommended in the RFCs: instead of
assuming zero-length padding, it uses the last byte of plaintext
to determine how many plaintext bytes to remove (whether or not
those bytes are correctly formatted padding). ... This indicates
that ignoring the recommendations of the RFCs can have severe
security consequences."

Which is not quite the same as that described in comment #0 (that description is for CVE-2013-0169 which also affects GnuTLS).
Comment 2 Vincent Danen 2013-02-06 11:35:48 EST
Sorry, as per:

http://www.openwall.com/lists/oss-security/2013/02/06/1

CVE-2013-0169 does _not_ affect GnuTLS.
Comment 3 Vincent Danen 2013-02-06 11:42:57 EST
Created mingw32-gnutls tracking bugs for this issue

Affects: fedora-16 [bug 908418]
Affects: epel-5 [bug 908419]
Comment 4 Vincent Danen 2013-02-06 12:30:45 EST
Created mingw-gnutls tracking bugs for this issue

Affects: fedora-17 [bug 908441]
Comment 5 Vincent Danen 2013-02-06 12:32:16 EST
Created mingw-gnutls tracking bugs for this issue

Affects: fedora-18 [bug 908443]
Comment 6 Michael Cronenworth 2013-02-07 21:37:58 EST
Created attachment 694893 [details]
gnutls 2.12.20 patch1

The provided patches for 2.12.x do not apply against 2.12.20 (Fedora 17). I have modified them to apply.
Comment 7 Michael Cronenworth 2013-02-07 21:38:27 EST
Created attachment 694894 [details]
gnutls 2.12.20 patch2
Comment 8 Tomas Hoger 2013-02-08 04:24:01 EST
Write up from Nikos Mavrogiannopoulos, one of the GnuTLS authors:

http://nmav.gnutls.org/2013/02/time-is-money-for-cbc-ciphersuites.html
Comment 11 Fedora Update System 2013-02-16 22:26:24 EST
mingw-gnutls-2.12.22-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2013-02-16 22:31:00 EST
mingw-gnutls-2.12.20-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 errata-xmlrpc 2013-03-04 16:14:34 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:0588 https://rhn.redhat.com/errata/RHSA-2013-0588.html
Comment 14 Fedora Update System 2013-03-05 18:27:02 EST
gnutls-2.12.23-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2013-03-12 19:33:00 EDT
libtasn1-2.14-1.fc17, gnutls-2.12.23-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 errata-xmlrpc 2013-03-13 10:48:06 EDT
This issue has been addressed in following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2013:0636 https://rhn.redhat.com/errata/RHSA-2013-0636.html

Note You need to log in before you can comment on or make changes to this bug.