Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 455
Alerts This Week
Warning Icon 1 455

Debian 8: DLA-1560-1 Critical: GnuTLS Timing Attack Fix

debian lts
Calendar Grey October 30, 2018
Dist Debian Esm H88
Enhance gnutls28 to mitigate timing attack risks and plaintext extraction weaknesses that impact TLS secure channels.
A set of vulnerabilities was discovered in GnuTLS which allowed attackers to do plain text recovery on TLS connections with certain cipher types

Summary

It was found that the GnuTLS implementation of HMAC-SHA-256 was
vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and
plaintext-recovery attacks via statistical analysis of timing data
using crafted packets.

CVE-2018-10845

It was found that the GnuTLS implementation of HMAC-SHA-384 was
vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plain
text recovery attacks via statistical analysis of timing data
using crafted packets.

CVE-2018-10846

A cache-based side channel in GnuTLS implementation that leads to
plain text recovery in cross-VM attack setting was found. An
attacker could use a combination of "Just in Time" Prime+probe
attack in combination with Lucky-13 attack to recover plain text
using crafted packets.

For Debian 8 "Jessie", these problems have been fixed in version

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

<pre><font face="Courier">Package: gnutls28
Version: 3.3.30-0+deb8u1
CVE ID: CVE-2018-10844 CVE-2018-10845 CVE-2018-10846

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.