CVE CyberSecurity Database News

CVE-2024-28834 - Minerva Attack Exposes Side-Channel Flaw in GnuTLS – What You Need to Know

Poster -

GnuTLS, a popular open-source cryptographic toolkit, was recently found vulnerable to a major side-channel attack. This flaw, tracked as CVE-2024-28834, is tied to the Minerva attack – a cryptographic technique that can leak private key information. If your systems rely on GnuTLS for security, this is one vulnerability you can't ignore.

Below, we’ll break down how this vulnerability works, share code snippets showing the problem, reference original sources, and offer details on exploitation risk.

What is the Minerva Attack?

The Minerva attack is a cryptanalytic method outlined in Barbosa et al., 2021. It exploits deterministic behavior in cryptographic code, especially with RSA key implementations that make “reproducible signatures.” In simple terms, the attack monitors subtle changes (timing, power, EM leaks) during crypto operations – even tiny leaks can help attackers extract bit-by-bit secret key material.

This is not a remote code execution vulnerability. Instead, it’s a leakage via “side channels.” In other words, the software doesn’t mean to give away secrets, but differences in how long things take to run – or how much power a chip uses – can be enough for a skilled attacker to get the key.

How Does CVE-2024-28834 Affect GnuTLS?

The flaw is in GnuTLS’s handling of ECDSA and DSA private keys when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag.

- Normal behavior: Nonces (random numbers used just once for crypto operations) are unpredictable and random.
- With GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE: The nonce generation becomes deterministic so repeated signatures are reproducible (for testing, debugging, or compliance).
- The flaw: If nonce length changes even slightly (from 513 bits to 512 bits, for instance), it introduces a timing signal that tells an observer something about the secret key in use — a prime target for Minerva-style attacks.

In summary: if an attacker can see or guess your nonce sizes (maybe by monitoring timings), and you’re running GnuTLS with this flag enabled, they could start piecing together your private key.

To see how this cropping up in real code, here’s a rough sketch of the vulnerable logic

/* Vulnerable nonce generation when reproducibility is requested */
if (flags & GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE) {
    // Deterministically generate 'k' (the nonce) based on the message hash
    ret = gnutls_privkey_generate_nonce(privkey, hash, &k, &k_size);
    if (ret < )
        return ret;
    // k_size could be 513 or 512 bits, depending on input
}

In the genuine GnuTLS source, this logic is more buried, but this is the essential problem: the generated nonce can “jump” in size in a predictable way that leaks information about the message being signed or the key itself.

This vulnerability is practical only in special circumstances

- You must use the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag. This is *not* the default, but some systems, tests, or compliance profiles enable it.
- You must repeatedly sign messages with the same key. The attack works only when nonce behavior can be observed many times.
- You need side-channel access. An attacker needs to measure tiny timing differences or power usage, or get partial nonce information via some output channel (or via an oracle).

Access Scenario

- Malicious user can trigger many ECDSA/DSA signatures by the same key.

The target system uses GnuTLS with reproducible signatures enabled.

- Attacker times how long each signing operation takes: notes when operations create a 512-bit versus a 513-bit nonce.
- Over hundreds or thousands of observations, these tiny differences allow the attacker to reconstruct bits of the private key.

Minerva: The Leakage After the “Fix”

https://minerva.crocs.fi.muni.cz/

GnuTLS Security Advisory for CVE-2024-28834

https://gnutls.org/security.html#GNUTLS-SA-2024-2
- NIST/NVD Entry: CVE-2024-28834
https://nvd.nist.gov/vuln/detail/CVE-2024-28834

Don’t use GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE unless absolutely needed.

3. Limit or rate-limit signing operations using ECDSA/DSA keys, especially in high-threat environments.

Conclusion

CVE-2024-28834 shows how even tiny, invisible details in crypto libraries can become gaping holes for attackers. If you depend on GnuTLS, review your configs, upgrade, and disable reproducible-signature flags unless you *really* need them. Remember: with crypto, tiny leaks can have big consequences.

Stay safe – and always keep your libraries up to date!


*Want more details, POCs or advisories on this? Check the official GnuTLS advisory or read the Minerva cryptanalysis paper!*

Timeline

Published on: 03/21/2024 14:15:07 UTC
Last modified on: 04/18/2024 05:15:48 UTC