Gnutls: timing side-channel in the rsa-psk authentication
CVE-2023-5981

5.9MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 8.6 Extended Update Support; Red Hat Enterprise Linux 8.8 Extended Update Support; Red Hat Enterprise Linux 9
Vendor: CVE Published:; 28 November 2023

Summary

A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.

Affected Version(s)

Red Hat Enterprise Linux 8 0:3.6.16-8.el8_9

Red Hat Enterprise Linux 8.6 Extended Update Support 0:3.6.16-5.el8_6.2

References

https://access.redhat.com/errata/RHSA-2024:0155

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2024:0319

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2024:0399

vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 28, 2023
Vulnerability Reserved
Nov 7, 2023

Credit

This issue was discovered by Daiki Ueno (Red Hat).