CVE-2024-0553 - Timing Side-Channel Vulnerability Discovered in GnuTLS RSA-PSK ClientKeyExchange

A critical vulnerability has been discovered in GnuTLS, specifically in the RSA-PSK (RSA Pre-Shared Key) ClientKeyExchange. The vulnerability, assigned the identifier CVE-2024-0553, can potentially allow a remote attacker to perform a timing side-channel attack. This type of attack might lead to the leakage of sensitive data.

Background

GnuTLS is a widely-used secure communication library that implements SSL, TLS, and DTLS protocols. It is designed to provide secure communication between two peers while verifying the authenticity of those peers (using certificates, for example). GnuTLS is used extensively, as it runs on several platforms, such as Linux distributions, macOS, and Windows.

Vulnerability Details

CVE-2024-0553 is closely related to CVE-2023-5981. However, the former is considered an incomplete resolution of the latter. This vulnerability is present in the RSA-PSK ClientKeyExchange functionality of GnuTLS.

In this case, the response times to improperly formatted ciphertexts are different from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This discrepancy can be exploited by a remote attacker to conduct a timing side-channel attack. Through careful analysis of these variations, an attacker can potentially gather sensitive information that could compromise the key exchange process.

Code Snippet

Here is an example code snippet illustrating the issue in question.

// Client-side RSA-PSK key exchange implementation
int gnutls_rsa_psk_client_key_exchange(gnutls_session_t session,
  const gnutls_datum_t * psk_key,
  gnutls_datum_t * ciphertext)
{
  //...
  _gnutls_mpi_print_lz(pk_params, rsa_ciphertext.data, &ciphertext->size);

  ret = _gnutls_pkcs1_rsa_encrypt(rsa_ciphertext, &rsa_plaintext, pk_params,
                                  GNUTLS_PKCS1_ENCODING);
  //...
}

In this code snippet, the _gnutls_pkcs1_rsa_encrypt function is responsible for padding and encrypting data. However, there is a difference in the response times when dealing with malformed ciphertexts compared to properly formatted ciphertexts with correct PKCS#1 v1.5 padding.

Original References

- GnuTLS official website: https://www.gnutls.org
- CVE-2024-0553 details in MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0553
- GnuTLS security advisory: https://lists.gnutls.org/pipermail/gnutls-devel/2024-February/002352.html

Exploit Details

Currently, there is no known exploit code released to the public for this vulnerability. However, given the critical nature of this vulnerability, it is essential for users of GnuTLS and developers relying on this library to update to the latest version.

Conclusion

CVE-2024-0553 is a serious vulnerability in the GnuTLS library that could allow a remote attacker to perform a timing side-channel attack against RSA-PSK key exchanges. Users of GnuTLS and developers are strongly urged to update to the latest version of the library and stay informed on any further developments related to this issue.

Timeline

Published on: 01/16/2024 12:15:45 UTC
Last modified on: 03/25/2024 18:15:08 UTC