Vulnerability Description
A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gnu | Gnutls | 3.6.8-11.el8_2 |
| Redhat | Enterprise Linux | 8.0 |
| Debian | Debian Linux | 10.0 |
| Fedoraproject | Fedora | 36 |
| Netapp | Active Iq Unified Manager | - |
| Netapp | Converged Systems Advisor Agent | - |
| Netapp | Ontap Select Deploy Administration Utility | - |
Related Weaknesses (CWE)
References
- https://access.redhat.com/security/cve/CVE-2023-0361Third Party Advisory
- https://github.com/tlsfuzzer/tlsfuzzer/pull/679Issue TrackingPatch
- https://gitlab.com/gnutls/gnutls/-/issues/1050ExploitIssue TrackingVendor Advisory
- https://lists.debian.org/debian-lts-announce/2023/02/msg00015.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.netapp.com/advisory/ntap-20230324-0005/Third Party Advisory
- https://security.netapp.com/advisory/ntap-20230725-0005/
- https://access.redhat.com/security/cve/CVE-2023-0361Third Party Advisory
- https://github.com/tlsfuzzer/tlsfuzzer/pull/679Issue TrackingPatch
- https://gitlab.com/gnutls/gnutls/-/issues/1050ExploitIssue TrackingVendor Advisory
- https://lists.debian.org/debian-lts-announce/2023/02/msg00015.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2023-0361?
CVE-2023-0361 is a vulnerability with a CVSS score of 7.4 (HIGH). A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a networ...
How severe is CVE-2023-0361?
CVE-2023-0361 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-0361?
Check the references section above for vendor advisories and patch information. Affected products include: Gnu Gnutls, Redhat Enterprise Linux, Debian Debian Linux, Fedoraproject Fedora, Netapp Active Iq Unified Manager.