CVE-2023-0361

HIGH

GnuTLS - Timing Side-Channel in RSA ClientKeyExchange Handling

Title source: llm
STIX 2.1

Description

A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.

References (9)

Core 9
Core References
Exploit, Issue Tracking, Vendor Advisory
https://gitlab.com/gnutls/gnutls/-/issues/1050
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2023/02/msg00015.html

Scores

CVSS v3 7.4
EPSS 0.0362
EPSS Percentile 87.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-203
Status published
Products (10)
debian/debian_linux 10.0
fedoraproject/fedora 36
fedoraproject/fedora 37
fedoraproject/fedora 38
gnu/gnutls 3.6.8-11.el8_2
netapp/active_iq_unified_manager
netapp/converged_systems_advisor_agent
netapp/ontap_select_deploy_administration_utility
redhat/enterprise_linux 8.0
redhat/enterprise_linux 9.0
Published Feb 15, 2023
Tracked Since Feb 18, 2026