Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 439
Alerts This Week
Warning Icon 1 439

Mageia 6: 2018-0435 Critical: GnuTLS HMAC-SHA Timing Attack Mitigation

mageia
Calendar Grey November 3, 2018
Dist Mageia Esm H88
Mageia users can now benefit from updated gnutls packages that address significant vulnerabilities, including potential timing attack threats.
The updated packages fix security vulnerabilities: It was found that the GnuTLS implementation of HMAC-SHA-256 and HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack

Summary

The updated packages fix security vulnerabilities:
It was found that the GnuTLS implementation of HMAC-SHA-256 and HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets (CVE-2018-10844, CVE-2018-10845).
A cache-based side channel in GnuTLS implementation that leads to plain text recovery in cross-VM attack setting was found. An attacker could use a combination of "Just in Time" Prime+probe attack in combination with Lucky-13 attack to recover plain text using crafted packets (CVE-2018-10846).

References

- https://bugs.mageia.org/show_bug.cgi?id=23682

- - - https://www.cve.org/CVERecord?id=CVE-2018-10844

- https://www.cve.org/CVERecord?id=CVE-2018-10845

- https://www.cve.org/CVERecord?id=CVE-2018-10846

Resolution

SRPMS

- 6/core/gnutls-3.5.13-1.1.mga6

Severity
critical
Lowest
Low
Medium
High
Critical

Publication date: 03 Nov 2018
URL: https://advisories.mageia.org/MGASA-2018-0435.html
Type: security
CVE: CVE-2018-10844, CVE-2018-10845, CVE-2018-10846

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.