CVE-2023-0361

7.4HIGH

Key Information

Vendor: Gnu
Status: gnutls
Vendor: CVE Published:; 15 February 2023

Summary

A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.

Affected Version(s)

gnutls = gnutls-3.7.6

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Feb 15, 2023
Vulnerability Reserved.
Jan 18, 2023

Collectors

NVD DatabaseMitre Database