PT-2023-6290 · Gnutls+10 · Gnutls+10

Hubert Kario

·

Published

2023-02-14

·

Updated

2025-03-19

·

CVE-2023-0361

CVSS v3.1

7.4

High

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions GnuTLS (affected versions not specified)
Description A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-203

Related Identifiers

ALSA-2023:1141
ALSA-2023:1569
ALT-PU-2023-1280
ALT-PU-2023-1327
ALT-PU-2023-1356
ALT-PU-2023-1366
AZL-13568
BDU:2023-07001
CESA-2023_1569
CVE-2023-0361
DLA-3321-1
DSA-5349-1
MGASA-2023-0067
OESA-2023-1126
OPENSUSE-SU-2024:12699-1
RHSA-2023:1141
RHSA-2023:1200
RHSA-2023:1569
RHSA-2023:3361
RHSA-2023_1141
RHSA-2023_1569
RLSA-2023:1141
RLSA-2023:1569
SUSE-SU-2023:0475-1
SUSE-SU-2023:0610-1
SUSE-SU-2023:4952-1
SUSE-SU-2023_0475-1
SUSE-SU-2023_0610-1
SUSE-SU-2023_4952-1
SUSE-SU-2024:1179-1
USN-5901-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Gnutls
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu