Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-0361

A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.

Published

2023-02-15T18:15:11.683

Last Modified

2025-03-19T18:15:18.747

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.4 (HIGH)

Weaknesses

Type: Primary
CWE-203
Type: Secondary
CWE-203

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	gnu	gnutls	3.6.8-11.el8_2	Yes
Operating System	redhat	enterprise_linux	8.0	Yes
Operating System	redhat	enterprise_linux	9.0	Yes
Operating System	debian	debian_linux	10.0	Yes
Operating System	fedoraproject	fedora	36	Yes
Operating System	fedoraproject	fedora	37	Yes
Operating System	fedoraproject	fedora	38	Yes
Application	netapp	active_iq_unified_manager	-	Yes
Application	netapp	converged_systems_advisor_agent	-	Yes
Application	netapp	ontap_select_deploy_administration_utility	-	Yes

References

https://access.redhat.com/security/cve/CVE-2023-0361 Third Party Advisory ([email protected])
https://github.com/tlsfuzzer/tlsfuzzer/pull/679 Issue Tracking, Patch ([email protected])
https://gitlab.com/gnutls/gnutls/-/issues/1050 Exploit, Issue Tracking, Vendor Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2023/02/msg00015.html Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UFIA3X4IZ3CW7SRQ2UHNHNPMRIAWF2FI/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS4KVDOG6QTALWHC2QE4Y7VPDRMLTRWQ/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z634YBXAJ5VLDI62IOPBVP5K6YFHAWCY/ ([email protected])
https://security.netapp.com/advisory/ntap-20230324-0005/ Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20230725-0005/ ([email protected])
https://access.redhat.com/security/cve/CVE-2023-0361 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/tlsfuzzer/tlsfuzzer/pull/679 Issue Tracking, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://gitlab.com/gnutls/gnutls/-/issues/1050 Exploit, Issue Tracking, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2023/02/msg00015.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UFIA3X4IZ3CW7SRQ2UHNHNPMRIAWF2FI/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS4KVDOG6QTALWHC2QE4Y7VPDRMLTRWQ/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z634YBXAJ5VLDI62IOPBVP5K6YFHAWCY/ (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20230324-0005/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20230725-0005/ (af854a3a-2127-422b-91ae-364da2661108)