CVE Vulnerability

CVE-2023-0361

A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://gitlab.com/gnutls/gnutls/-/issues/1050 Exploit Issue Tracking
https://github.com/tlsfuzzer/tlsfuzzer/pull/679 Issue Tracking Patch
https://access.redhat.com/security/cve/CVE-2023-0361 Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/02/msg00015.html Mailing List Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:gnu:gnutls:3.6.8-11.el8_2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Information

Published : 2023-02-15 06:15

Updated : 2023-02-24 06:58

NVD link : CVE-2023-0361

Mitre link : CVE-2023-0361

Products Affected

Debian

Gnu

Redhat

CWE
No CWE.