Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 455560 (CVE-2013-1619) - <net-libs/gnutls-{2.12.23,3.1.8}: TLS CBC padding timing attack (CVE-2013-1619)
Summary: <net-libs/gnutls-{2.12.23,3.1.8}: TLS CBC padding timing attack (CVE-2013-1619)
Alias: CVE-2013-1619
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa]
Depends on:
Reported: 2013-02-05 09:29 UTC by Agostino Sarubbo
Modified: 2013-10-28 11:53 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-02-05 09:29:24 UTC
From $URL :

A flaw in how TLS/DTLS, when CBC-mode encryption is used, communicates was reported.  This 
vulnerability can allow for a Man-in-the-Middle attacker to recover plaintext from a TLS/DTLS 
connection, when CBC-mode encryption is used.

This flaw is in the TLS specification, and not a bug in a specific implementation (as such, it 
affects nearly all implementations).  As such, it affects all TLS and DTLS implementations that are 
compliant with TLS 1.1 or 1.2, or with DTLS 1.0 or 1.2.  It also applies to implementations of SSL 
3.0 and TLS 1.0 that incorporate countermeasures to deal with previous padding oracle attacks.  All 
TLS/DTLS ciphersuites that include CBC-mode encryption are potentially vulnerable.

The paper indicates that with OpenSSL, a full plaintext recovery attack is possible, and with 
GnuTLS, a partial plaintext recovery is possible (recovering up to 4 bits of the last byte in any 
block of plaintext).

To perform a successful attack, when TLS is used, a large number of TLS sessions are required 
(target plaintext must be sent repeatedly in the same position in the plaintext stream across the 
sessions).  For DTLS, a successful attack can be carried out in a single session.  The attacker 
must also be located close to the machine being attacked.

Further details are noted in the paper.

Current status of fixes in various implementations:

* OpenSSL has a patch in development
* NSS has a patch in development
* GnuTLS is fixed in versions 2.12.23, 3.0.28, and 3.1.7
* PolarSSL is fixed in version 1.2.5
* BouncyCastle has a patch that will be included in the forthcoming 1.48 version

External References:
Comment 2 Alon Bar-Lev (RETIRED) gentoo-dev 2013-02-05 10:42:32 UTC

In tree, should contain this fix.
Comment 3 Ronny Perinke 2013-02-08 22:06:08 UTC
Pidgin, Empathy and Telepathy can't connect to Google Talk anymore after upgrading to gnutls-3.1.7, please see bug 455800 for details.
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2013-02-25 22:38:37 UTC
(In reply to comment #2)
> gnutls-2.12.23
> gnutls-3.1.7
> In tree, should contain this fix.

Thanks, Alon. May we proceed to stabilize =net-libs/gnutls-2.12.23 ?
Comment 5 Alon Bar-Lev (RETIRED) gentoo-dev 2013-02-26 07:53:04 UTC
(In reply to comment #4)
> (In reply to comment #2)
> > gnutls-2.12.23
> > gnutls-3.1.7
> > 
> > In tree, should contain this fix.
> Thanks, Alon. May we proceed to stabilize =net-libs/gnutls-2.12.23 ?

Seems so, no issues so far.

FYI the gnutls-3.1.7 was broken, gnutls-3.1.8 was released.

Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-04 00:57:25 UTC
Arches, please test and mark stable:
Target KEYWORDS: "alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~x86-fbsd ~x86-interix ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x86-solaris"
Comment 7 Agostino Sarubbo gentoo-dev 2013-03-04 09:11:19 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-03-04 09:20:49 UTC
x86 stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2013-03-04 15:36:48 UTC
Stable for HPPA.
Comment 10 Brent Baude (RETIRED) gentoo-dev 2013-03-04 18:16:39 UTC
ppc done
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2013-03-04 23:37:18 UTC
CVE-2013-1619 (
  The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and
  3.1.x before 3.1.7 does not properly consider timing side-channel attacks on
  a noncompliant MAC check operation during the processing of malformed CBC
  padding, which allows remote attackers to conduct distinguishing attacks and
  plaintext-recovery attacks via statistical analysis of timing data for
  crafted packets, a related issue to CVE-2013-0169.
Comment 12 Agostino Sarubbo gentoo-dev 2013-03-06 10:23:06 UTC
sh stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-03-08 17:45:18 UTC
arm stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-03-09 12:03:59 UTC
ppc64 stable
Comment 15 Agostino Sarubbo gentoo-dev 2013-03-09 13:33:36 UTC
alpha stable
Comment 16 Agostino Sarubbo gentoo-dev 2013-03-09 14:24:32 UTC
ia64 stable
Comment 17 Agostino Sarubbo gentoo-dev 2013-03-09 19:08:21 UTC
sparc stable
Comment 18 Agostino Sarubbo gentoo-dev 2013-03-10 16:19:26 UTC
s390 stable
Comment 19 Tobias Heinlein (RETIRED) gentoo-dev 2013-03-24 19:33:16 UTC
GLSA request filed.
Comment 20 Alon Bar-Lev (RETIRED) gentoo-dev 2013-03-30 23:14:15 UTC
crypto done.
Comment 21 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-22 14:07:12 UTC
m68k -> ~ only, removing from CC. Maintainers unCC'd themselves, did the cleanup myself.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2013-10-28 11:53:27 UTC
This issue was resolved and addressed in
 GLSA 201310-18 at
by GLSA coordinator Sergey Popov (pinkbyte).