Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 455560 (CVE-2013-1619)

Summary: <net-libs/gnutls-{2.12.23,3.1.8}: TLS CBC padding timing attack (CVE-2013-1619)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=907589
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-02-05 09:29:24 UTC 
From $URL :

A flaw in how TLS/DTLS, when CBC-mode encryption is used, communicates was reported.  This 
vulnerability can allow for a Man-in-the-Middle attacker to recover plaintext from a TLS/DTLS 
connection, when CBC-mode encryption is used.

This flaw is in the TLS specification, and not a bug in a specific implementation (as such, it 
affects nearly all implementations).  As such, it affects all TLS and DTLS implementations that are 
compliant with TLS 1.1 or 1.2, or with DTLS 1.0 or 1.2.  It also applies to implementations of SSL 
3.0 and TLS 1.0 that incorporate countermeasures to deal with previous padding oracle attacks.  All 
TLS/DTLS ciphersuites that include CBC-mode encryption are potentially vulnerable.

The paper indicates that with OpenSSL, a full plaintext recovery attack is possible, and with 
GnuTLS, a partial plaintext recovery is possible (recovering up to 4 bits of the last byte in any 
block of plaintext).

To perform a successful attack, when TLS is used, a large number of TLS sessions are required 
(target plaintext must be sent repeatedly in the same position in the plaintext stream across the 
sessions).  For DTLS, a successful attack can be carried out in a single session.  The attacker 
must also be located close to the machine being attacked.

Further details are noted in the paper.

Current status of fixes in various implementations:

* OpenSSL has a patch in development
* NSS has a patch in development
* GnuTLS is fixed in versions 2.12.23, 3.0.28, and 3.1.7
* PolarSSL is fixed in version 1.2.5
* BouncyCastle has a patch that will be included in the forthcoming 1.48 version


External References:

http://www.isg.rhul.ac.uk/tls/
http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
http://www.gnutls.org/security.html#GNUTLS-SA-2013-1
https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released
Comment 2 Alon Bar-Lev (RETIRED) gentoo-dev 2013-02-05 10:42:32 UTC 
gnutls-2.12.23
gnutls-3.1.7

In tree, should contain this fix.
Comment 3 Ronny Perinke 2013-02-08 22:06:08 UTC 
Pidgin, Empathy and Telepathy can't connect to Google Talk anymore after upgrading to gnutls-3.1.7, please see bug 455800 for details.
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2013-02-25 22:38:37 UTC 
(In reply to comment #2)
> gnutls-2.12.23
> gnutls-3.1.7
> 
> In tree, should contain this fix.

Thanks, Alon. May we proceed to stabilize =net-libs/gnutls-2.12.23 ?
Comment 5 Alon Bar-Lev (RETIRED) gentoo-dev 2013-02-26 07:53:04 UTC 
(In reply to comment #4)
> (In reply to comment #2)
> > gnutls-2.12.23
> > gnutls-3.1.7
> > 
> > In tree, should contain this fix.
> 
> Thanks, Alon. May we proceed to stabilize =net-libs/gnutls-2.12.23 ?

Seems so, no issues so far.

FYI the gnutls-3.1.7 was broken, gnutls-3.1.8 was released.

Thanks!
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-04 00:57:25 UTC 
Arches, please test and mark stable:
=net-libs/gnutls-2.12.23
Target KEYWORDS: "alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~x86-fbsd ~x86-interix ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x86-solaris"
Comment 7 Agostino Sarubbo gentoo-dev 2013-03-04 09:11:19 UTC 
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-03-04 09:20:49 UTC 
x86 stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2013-03-04 15:36:48 UTC 
Stable for HPPA.
Comment 10 Brent Baude (RETIRED) gentoo-dev 2013-03-04 18:16:39 UTC 
ppc done
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2013-03-04 23:37:18 UTC 
CVE-2013-1619 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1619):
  The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and
  3.1.x before 3.1.7 does not properly consider timing side-channel attacks on
  a noncompliant MAC check operation during the processing of malformed CBC
  padding, which allows remote attackers to conduct distinguishing attacks and
  plaintext-recovery attacks via statistical analysis of timing data for
  crafted packets, a related issue to CVE-2013-0169.
Comment 12 Agostino Sarubbo gentoo-dev 2013-03-06 10:23:06 UTC 
sh stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-03-08 17:45:18 UTC 
arm stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-03-09 12:03:59 UTC 
ppc64 stable
Comment 15 Agostino Sarubbo gentoo-dev 2013-03-09 13:33:36 UTC 
alpha stable
Comment 16 Agostino Sarubbo gentoo-dev 2013-03-09 14:24:32 UTC 
ia64 stable
Comment 17 Agostino Sarubbo gentoo-dev 2013-03-09 19:08:21 UTC 
sparc stable
Comment 18 Agostino Sarubbo gentoo-dev 2013-03-10 16:19:26 UTC 
s390 stable
Comment 19 Tobias Heinlein (RETIRED) gentoo-dev 2013-03-24 19:33:16 UTC 
GLSA request filed.
Comment 20 Alon Bar-Lev (RETIRED) gentoo-dev 2013-03-30 23:14:15 UTC 
crypto done.
Comment 21 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-22 14:07:12 UTC 
m68k -> ~ only, removing from CC. Maintainers unCC'd themselves, did the cleanup myself.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2013-10-28 11:53:27 UTC 
This issue was resolved and addressed in
 GLSA 201310-18 at http://security.gentoo.org/glsa/glsa-201310-18.xml
by GLSA coordinator Sergey Popov (pinkbyte).