Hide Forgot
A flaw in how TLS/DTLS, when CBC-mode encryption is used, communicates was reported. This vulnerability can allow for a Man-in-the-Middle attacker to recover plaintext from a TLS/DTLS connection, when CBC-mode encryption is used. This flaw is in the TLS specification, and not a bug in a specific implementation (as such, it affects nearly all implementations). As such, it affects all TLS and DTLS implementations that are compliant with TLS 1.1 or 1.2, or with DTLS 1.0 or 1.2. It also applies to implementations of SSL 3.0 and TLS 1.0 that incorporate countermeasures to deal with previous padding oracle attacks. All TLS/DTLS ciphersuites that include CBC-mode encryption are potentially vulnerable. The paper indicates that with OpenSSL, a full plaintext recovery attack is possible, and with GnuTLS, a partial plaintext recovery is possible (recovering up to 4 bits of the last byte in any block of plaintext). To perform a successful attack, when TLS is used, a large number of TLS sessions are required (target plaintext must be sent repeatedly in the same position in the plaintext stream across the sessions). For DTLS, a successful attack can be carried out in a single session. The attacker must also be located close to the machine being attacked. Further details are noted in the paper: http://www.isg.rhul.ac.uk/tls/TLStiming.pdf External References: http://www.isg.rhul.ac.uk/tls/ http://www.gnutls.org/security.html#GNUTLS-SA-2013-1 Patches: 2.12.x: https://gitorious.org/gnutls/gnutls/commit/458c67cf98740e7b12404f6c30e0d5317d56fd30 https://gitorious.org/gnutls/gnutls/commit/93b7fcfa3297a9123630704668b2946f602b910e 3.0.x: https://gitorious.org/gnutls/gnutls/commit/8dc2822966f64dd9cf7dde9c7aacd80d49d3ffe5 3.2.x / master: https://gitorious.org/gnutls/gnutls/commit/328ee22c1b3951e060c7124c7cb1cee592c59bc0
To clarify, this CVE is specifically for: "The GnuTLS implementation of MEE-TLS-CBC deals with bad padding in a different way to that recommended in the RFCs: instead of assuming zero-length padding, it uses the last byte of plaintext to determine how many plaintext bytes to remove (whether or not those bytes are correctly formatted padding). ... This indicates that ignoring the recommendations of the RFCs can have severe security consequences." Which is not quite the same as that described in comment #0 (that description is for CVE-2013-0169 which also affects GnuTLS).
Sorry, as per: http://www.openwall.com/lists/oss-security/2013/02/06/1 CVE-2013-0169 does _not_ affect GnuTLS.
Created mingw32-gnutls tracking bugs for this issue Affects: fedora-16 [bug 908418] Affects: epel-5 [bug 908419]
Created mingw-gnutls tracking bugs for this issue Affects: fedora-17 [bug 908441]
Created mingw-gnutls tracking bugs for this issue Affects: fedora-18 [bug 908443]
Created attachment 694893 [details] gnutls 2.12.20 patch1 The provided patches for 2.12.x do not apply against 2.12.20 (Fedora 17). I have modified them to apply.
Created attachment 694894 [details] gnutls 2.12.20 patch2
Write up from Nikos Mavrogiannopoulos, one of the GnuTLS authors: http://nmav.gnutls.org/2013/02/time-is-money-for-cbc-ciphersuites.html
mingw-gnutls-2.12.22-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
mingw-gnutls-2.12.20-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2013:0588 https://rhn.redhat.com/errata/RHSA-2013-0588.html
gnutls-2.12.23-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
libtasn1-2.14-1.fc17, gnutls-2.12.23-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: RHEV-H and Agents for RHEL-6 Via RHSA-2013:0636 https://rhn.redhat.com/errata/RHSA-2013-0636.html