Timing Side-Channel Vulnerability in GnuTLS RSA ClientKeyExchange
CVE-2023-0361

7.4HIGH

Key Information:

Vendor: Gnu
Status: gnutls
Vendor: CVE Published:; 15 February 2023

Summary

A timing side-channel vulnerability has been identified in GnuTLS's processing of RSA ClientKeyExchange messages. This flaw can expose sensitive keys through a network, enabling attackers to mount a Bleichenbacher-style attack. To exploit this vulnerability, the attacker must send a high volume of specially crafted messages to the vulnerable server. If successful, they can extract the secret from the ClientKeyExchange message, potentially leading to decryption of application data transmitted during that session.

Affected Version(s)

gnutls gnutls-3.7.6

References

https://access.redhat.com/security/cve/CVE-2023-0361

https://github.com/tlsfuzzer/tlsfuzzer/pull/679

https://gitlab.com/gnutls/gnutls/-/issues/1050

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 15, 2023
Vulnerability Reserved
Jan 18, 2023