Bug 2269228 (CVE-2024-28834) - CVE-2024-28834 gnutls: vulnerable to Minerva side-channel information leak
Summary: CVE-2024-28834 gnutls: vulnerable to Minerva side-channel information leak
Keywords:
Status: NEW
Alias: CVE-2024-28834
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2270616
Blocks: 2269079
TreeView+ depends on / blocked
 
Reported: 2024-03-12 18:30 UTC by Robb Gatica
Modified: 2024-07-10 14:19 UTC (History)
36 users (show)

Fixed In Version: gnutls-3.8.4
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:2617 0 None None None 2024-04-30 16:35:48 UTC
Red Hat Product Errata RHSA-2024:1879 0 None None None 2024-04-18 02:18:45 UTC
Red Hat Product Errata RHSA-2024:1997 0 None None None 2024-04-23 14:32:43 UTC
Red Hat Product Errata RHSA-2024:2044 0 None None None 2024-04-25 01:16:41 UTC
Red Hat Product Errata RHSA-2024:2889 0 None None None 2024-05-16 18:14:04 UTC

Description Robb Gatica 2024-03-12 18:30:13 UTC
Embargoed issue reported upstream:

---

My team and I have tested GnuTLS and we found that it is vulnerable to the Minerva attack. GnuTLS on its own is not vulnerable but when we are using
the deterministic code we can see a step from 513 K-bit-size to 512 K-bit-size.

The test scenario is that we are signing random messages using the gnutls_privkey_sign_data2 API function using "GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE" flag. Then using the private key, we extract the K value from the signatures. After that, based on the bit size of the extracted nonce we compare full-sized nonces to smaller ones and use the statistical tests to compare the signature times.

For testing, we used gnutls-3.7.6-23.el9.x86_64 and gnutls-devel-3.7.6-23.el9.x86_64

In these results, we can clearly see that there is a "step" from nonce size of 513 bits to nonce size of 512 bits. The size of this side channel is
around 34 ns. The sample tested has 43,190,069 observations.

Reference: https://minerva.crocs.fi.muni.cz

Comment 3 Sandipan Roy 2024-03-21 05:50:50 UTC
Created gnutls tracking bugs for this issue:

Affects: fedora-all [bug 2270616]

Comment 5 errata-xmlrpc 2024-04-18 02:18:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1879 https://access.redhat.com/errata/RHSA-2024:1879

Comment 6 errata-xmlrpc 2024-04-23 14:32:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1997 https://access.redhat.com/errata/RHSA-2024:1997

Comment 7 errata-xmlrpc 2024-04-25 01:16:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:2044 https://access.redhat.com/errata/RHSA-2024:2044

Comment 8 errata-xmlrpc 2024-05-16 18:14:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:2889 https://access.redhat.com/errata/RHSA-2024:2889


Note You need to log in before you can comment on or make changes to this bug.