Описание
Pion DTLS is a Go implementation of Datagram Transport Layer Security. Pion DTLS versions v1.0.0 through v3.0.10 and 3.1.0 use random nonce generation with AES GCM ciphers, which makes it easier for remote attackers to obtain the authentication key and spoof data by leveraging the reuse of a nonce in a session and a "forbidden attack". Upgrade to v3.0.11, v3.1.1, or later.
A vulnerability has been identified in the Pion DTLS implementation where the use of random nonce generation with AES-GCM ciphers does not adhere to recommended cryptographic practices. Under certain conditions, this may allow remote attackers to more easily derive or reuse encryption authentication keys, potentially leading to spoofed or compromised DTLS sessions during communication.
Отчет
Red Hat Product Security classified this issue as Moderate severity, because an unauthenticated remote attacker could, in theory, take advantage of the improper nonce generation in Pion DTLS to more easily obtain the authentication key for AES-GCM ciphers and spoof or manipulate DTLS traffic. However, exploitation requires specific conditions and a detailed understanding of the protocol, contributing to a higher attack complexity. Additionally, there is no direct effect on data integrity or availability solely from this issue, and successful exploitation typically requires carefully crafted, protocol-level interactions. These factors limit the practical risk in most real-world deployments.
Меры по смягчению последствий
No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Network Observability Operator | network-observability/network-observability-ebpf-agent-rhel9 | Fix deferred | ||
| Network Observability Operator | network-observability/network-observability-flowlogs-pipeline-rhel9 | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
5.9 Medium
CVSS3
Связанные уязвимости
Pion DTLS is a Go implementation of Datagram Transport Layer Security. Pion DTLS versions v1.0.0 through v3.0.10 and 3.1.0 use random nonce generation with AES GCM ciphers, which makes it easier for remote attackers to obtain the authentication key and spoof data by leveraging the reuse of a nonce in a session and a "forbidden attack". Upgrade to v3.0.11, v3.1.1, or later.
Pion DTLS is a Go implementation of Datagram Transport Layer Security. Pion DTLS versions v1.0.0 through v3.0.10 and 3.1.0 use random nonce generation with AES GCM ciphers, which makes it easier for remote attackers to obtain the authentication key and spoof data by leveraging the reuse of a nonce in a session and a "forbidden attack". Upgrade to v3.0.11, v3.1.1, or later.
Pion DTLS is a Go implementation of Datagram Transport Layer Security. ...
Pion DTLS's usage of random nonce generation with AES GCM ciphers risks leaking the authentication key
5.9 Medium
CVSS3