Описание
A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.
Отчет
The identified vulnerability in the GnuTLS library, designated as CVE-2024-0553, presents a moderate severity concern due to its potential for facilitating timing side-channel attacks in RSA-PSK ciphersuites. While the flaw allows for the exploitation of timing differentials during the key exchange process, enabling attackers to infer sensitive data, its impact is constrained by several factors. Firstly, successful exploitation requires precise timing measurements and sophisticated analysis techniques, posing a significant barrier to entry for potential attackers. Additionally, the effectiveness of the attack is contingent on environmental factors such as network latency and system load, further limiting its practical feasibility. This issue marked as an incomplete resolution for a previously identified vulnerability, CVE-2023-5981, indicating a potential persistence or recurrence of the problem.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | gnutls | Out of support scope | ||
| Red Hat Enterprise Linux 7 | gnutls | Out of support scope | ||
| Red Hat Enterprise Linux 8 | gnutls | Fixed | RHSA-2024:0627 | 31.01.2024 |
| Red Hat Enterprise Linux 8 | gnutls | Fixed | RHSA-2024:0627 | 31.01.2024 |
| Red Hat Enterprise Linux 8.6 Extended Update Support | gnutls | Fixed | RHSA-2024:1108 | 05.03.2024 |
| Red Hat Enterprise Linux 8.8 Extended Update Support | gnutls | Fixed | RHSA-2024:0796 | 13.02.2024 |
| Red Hat Enterprise Linux 9 | gnutls | Fixed | RHSA-2024:0533 | 29.01.2024 |
| Red Hat Enterprise Linux 9 | gnutls | Fixed | RHSA-2024:0533 | 29.01.2024 |
| Red Hat Enterprise Linux 9.2 Extended Update Support | gnutls | Fixed | RHSA-2024:1082 | 05.03.2024 |
| RHODF-4.15-RHEL-9 | odf4/cephcsi-rhel9 | Fixed | RHSA-2024:1383 | 19.03.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.
A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.
A vulnerability was found in GnuTLS. The response times to malformed c ...
EPSS
7.5 High
CVSS3