CVE-2018-10845

MEDIUM

GnuTLS < 3.6.12 - Timing Side-Channel Attack via HMAC-SHA-384

Title source: llm
STIX 2.1

Description

It was found that the GnuTLS implementation of HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets.

References (10)

Core 10
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10845
Third Party Advisory x_refsource_misc
https://eprint.iacr.org/2018/747
Patch, Third Party Advisory x_refsource_confirm
https://gitlab.com/gnutls/gnutls/merge_requests/657
Broken Link vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3505
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/105138
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3050
Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/10/msg00022.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3999-1/

Scores

CVSS v3 5.9
EPSS 0.0077
EPSS Percentile 73.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-327 CWE-385
Status published
Products (11)
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 18.10
canonical/ubuntu_linux 19.04
debian/debian_linux 8.0
fedoraproject/fedora 31
fedoraproject/fedora 32
gnu/gnutls < 3.6.12
redhat/enterprise_linux_desktop 7.0
redhat/enterprise_linux_server 7.0
... and 1 more
Published Aug 22, 2018
Tracked Since Feb 18, 2026