CVE-2024-28834Use of a Broken or Risky Cryptographic Algorithm in Azl3 Gnutls 3.8.3-2 ON Azure Linux 3.0

CWE-327Use of a Broken or Risky Cryptographic AlgorithmCWE-200Sensitive Information Exposure12 documents8 sources
Severity
5.3MEDIUMNVD
EPSS
2.3%
top 15.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Debian Gnutls28Msrc Azl3 Gnutls 3.8.3-2 ON Azure Linux 3.0Msrc Azl3 Gnutls 3.8.3-4 ON Azure Linux 3.0+3 more
Timeline
PublishedMar 21
Latest updateApr 15

Description

A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages6 packages

debiandebian/gnutls28< gnutls28 3.7.9-2+deb12u3 (bookworm)

🔴Vulnerability Details

4
OSV
gnutls28 vulnerabilities2024-04-29
OSV
gnutls28 vulnerabilities2024-04-15
OSV
CVE-2024-28834: A flaw was found in GnuTLS2024-03-21
GHSA
GHSA-frvc-6356-58xm: A flaw was found in GnuTLS2024-03-21

📋Vendor Advisories

7
Oracle
Oracle Oracle Communications Risk Matrix: BEServer (GnuTLS) — CVE-2024-288342025-04-15
Oracle
Oracle Oracle Communications Risk Matrix: Third Party (GnuTLS) — CVE-2024-288342025-01-15
Ubuntu
GnuTLS vulnerabilities2024-04-29
Ubuntu
GnuTLS vulnerabilities2024-04-15
Red Hat
gnutls: vulnerable to Minerva side-channel information leak2024-03-21