Bug 908238 (CVE-2013-1619) - CVE-2013-1619 gnutls: TLS CBC padding timing attack (lucky-13)
Summary: CVE-2013-1619 gnutls: TLS CBC padding timing attack (lucky-13)
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-1619
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20130204,repor...
Depends On: 907983 908418 908419 908441 908443 911072 911073 911076 911077
Blocks: 907592
TreeView+ depends on / blocked
 
Reported: 2013-02-06 08:47 UTC by Huzaifa S. Sidhpurwala
Modified: 2019-06-08 19:25 UTC (History)
5 users (show)

Fixed In Version: gnutls 2.12.23, gnutls 3.0.28, gnutls 3.1.7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-26 06:47:40 UTC


Attachments (Terms of Use)
gnutls 2.12.20 patch1 (5.43 KB, patch)
2013-02-08 02:37 UTC, Michael Cronenworth
no flags Details | Diff
gnutls 2.12.20 patch2 (3.52 KB, patch)
2013-02-08 02:38 UTC, Michael Cronenworth
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0588 normal SHIPPED_LIVE Moderate: gnutls security update 2013-03-05 02:11:21 UTC
Red Hat Product Errata RHSA-2013:0636 normal SHIPPED_LIVE Important: rhev-hypervisor6 security and bug fix update 2013-03-13 18:47:11 UTC

Description Huzaifa S. Sidhpurwala 2013-02-06 08:47:41 UTC
A flaw in how TLS/DTLS, when CBC-mode encryption is used, communicates was reported.  This vulnerability can allow for a Man-in-the-Middle attacker to recover plaintext from a TLS/DTLS connection, when CBC-mode encryption is used.

This flaw is in the TLS specification, and not a bug in a specific implementation (as such, it affects nearly all implementations).  As such, it affects all TLS and DTLS implementations that are compliant with TLS 1.1 or 1.2, or with DTLS 1.0 or 1.2.  It also applies to implementations of SSL 3.0 and TLS 1.0 that incorporate countermeasures to deal with previous padding oracle attacks.  All TLS/DTLS ciphersuites that include CBC-mode encryption are potentially vulnerable.

The paper indicates that with OpenSSL, a full plaintext recovery attack is possible, and with GnuTLS, a partial plaintext recovery is possible (recovering up to 4 bits of the last byte in any block of plaintext).

To perform a successful attack, when TLS is used, a large number of TLS sessions are required (target plaintext must be sent repeatedly in the same position in the plaintext stream across the sessions).  For DTLS, a successful attack can be carried out in a single session.  The attacker must also be located close to the machine being attacked.

Further details are noted in the paper:

http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

External References:

http://www.isg.rhul.ac.uk/tls/
http://www.gnutls.org/security.html#GNUTLS-SA-2013-1

Patches:

2.12.x:
https://gitorious.org/gnutls/gnutls/commit/458c67cf98740e7b12404f6c30e0d5317d56fd30
https://gitorious.org/gnutls/gnutls/commit/93b7fcfa3297a9123630704668b2946f602b910e

3.0.x:
https://gitorious.org/gnutls/gnutls/commit/8dc2822966f64dd9cf7dde9c7aacd80d49d3ffe5

3.2.x / master:
https://gitorious.org/gnutls/gnutls/commit/328ee22c1b3951e060c7124c7cb1cee592c59bc0

Comment 1 Vincent Danen 2013-02-06 16:32:24 UTC
To clarify, this CVE is specifically for:

"The GnuTLS implementation of MEE-TLS-CBC deals with bad padding
in a different way to that recommended in the RFCs: instead of
assuming zero-length padding, it uses the last byte of plaintext
to determine how many plaintext bytes to remove (whether or not
those bytes are correctly formatted padding). ... This indicates
that ignoring the recommendations of the RFCs can have severe
security consequences."

Which is not quite the same as that described in comment #0 (that description is for CVE-2013-0169 which also affects GnuTLS).

Comment 2 Vincent Danen 2013-02-06 16:35:48 UTC
Sorry, as per:

http://www.openwall.com/lists/oss-security/2013/02/06/1

CVE-2013-0169 does _not_ affect GnuTLS.

Comment 3 Vincent Danen 2013-02-06 16:42:57 UTC
Created mingw32-gnutls tracking bugs for this issue

Affects: fedora-16 [bug 908418]
Affects: epel-5 [bug 908419]

Comment 4 Vincent Danen 2013-02-06 17:30:45 UTC
Created mingw-gnutls tracking bugs for this issue

Affects: fedora-17 [bug 908441]

Comment 5 Vincent Danen 2013-02-06 17:32:16 UTC
Created mingw-gnutls tracking bugs for this issue

Affects: fedora-18 [bug 908443]

Comment 6 Michael Cronenworth 2013-02-08 02:37:58 UTC
Created attachment 694893 [details]
gnutls 2.12.20 patch1

The provided patches for 2.12.x do not apply against 2.12.20 (Fedora 17). I have modified them to apply.

Comment 7 Michael Cronenworth 2013-02-08 02:38:27 UTC
Created attachment 694894 [details]
gnutls 2.12.20 patch2

Comment 8 Tomas Hoger 2013-02-08 09:24:01 UTC
Write up from Nikos Mavrogiannopoulos, one of the GnuTLS authors:

http://nmav.gnutls.org/2013/02/time-is-money-for-cbc-ciphersuites.html

Comment 11 Fedora Update System 2013-02-17 03:26:24 UTC
mingw-gnutls-2.12.22-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2013-02-17 03:31:00 UTC
mingw-gnutls-2.12.20-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 errata-xmlrpc 2013-03-04 21:14:34 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:0588 https://rhn.redhat.com/errata/RHSA-2013-0588.html

Comment 14 Fedora Update System 2013-03-05 23:27:02 UTC
gnutls-2.12.23-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2013-03-12 23:33:00 UTC
libtasn1-2.14-1.fc17, gnutls-2.12.23-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 errata-xmlrpc 2013-03-13 14:48:06 UTC
This issue has been addressed in following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2013:0636 https://rhn.redhat.com/errata/RHSA-2013-0636.html


Note You need to log in before you can comment on or make changes to this bug.