CVE-2023-5981 — Observable Timing Discrepancy in Gnutls

CWE-208 — Observable Timing Discrepancy CWE-203 — Observable Discrepancy12 documents9 sources

Severity

5.9MEDIUMNVD

EPSS

0.9%

top 24.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Gnutls Debian Linux Fedoraproject Fedora +1 more

Timeline

PublishedNov 28

Latest updateJul 15

Description

A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

▶NVDgnu/gnutls< 3.8.2

▶NVDredhat/linux8.0, 9.0+1

Also affects: Debian Linux 10.0, Fedora 37, 38

🔴Vulnerability Details

GHSA

GHSA-jvj3-gqjm-cg8p: A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with↗2023-11-28

▶

OSV

CVE-2023-5981: A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with↗2023-11-28

▶

CVEList

Gnutls: timing side-channel in the rsa-psk authentication↗2023-11-28

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Applications Risk Matrix: Installation (GnuTLS) — CVE-2023-5981↗2024-07-15

▶

Red Hat

gnutls: incomplete fix for CVE-2023-5981↗2024-01-16

▶

Microsoft

Gnutls: incomplete fix for cve-2023-5981↗2024-01-09

▶

Ubuntu

GnuTLS vulnerability↗2024-01-08

▶

Ubuntu

GnuTLS vulnerability↗2023-11-21

▶