Skip to main content

Gnutls CVE-2018-10845

MEDIUM
Covert Timing Channel (CWE-385)
2018-08-22 secalert@redhat.com
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Aug 22, 2018 - 13:29 nvd
MEDIUM 5.9

DescriptionNVD

It was found that the GnuTLS implementation of HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets.

AnalysisAI

It was found that the GnuTLS implementation of HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Technical ContextAI

This vulnerability is classified under CWE-385. It was found that the GnuTLS implementation of HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets. Affected products include: Gnu Gnutls, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Server, Redhat Enterprise Linux Workstation, Canonical Ubuntu Linux.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Gnutls

View all
CVE-2021-20231 CRITICAL POC
9.8 Mar 12

A flaw was found in gnutls. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentic

CVE-2014-3466 MEDIUM POC
6.8 Jun 03

Buffer overflow in the read_server_hello function in lib/gnutls_handshake.c in GnuTLS before 3.1.25, 3.2.x before 3.2.15

CVE-2024-0553 HIGH POC
7.5 Jan 16

A vulnerability was found in GnuTLS. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no auth

CVE-2012-1663 HIGH POC
7.5 Mar 13

Double free vulnerability in libgnutls in GnuTLS before 3.0.14 allows remote attackers to cause a denial of service (app

CVE-2020-24659 HIGH POC
7.5 Sep 04

An issue was discovered in GnuTLS before 3.6.15. Rated high severity (CVSS 7.5), this vulnerability is remotely exploita

CVE-2019-3836 HIGH POC
7.5 Apr 01

It was discovered in gnutls before version 3.6.7 upstream that there is an uninitialized pointer access in gnutls versio

CVE-2019-3829 HIGH POC
7.5 Mar 27

A vulnerability was found in gnutls versions from 3.5.8 before 3.6.7. Rated high severity (CVSS 7.5), this vulnerability

CVE-2023-0361 HIGH POC
7.4 Feb 15

A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. Rated high severity (C

CVE-2012-1569 MEDIUM POC
5.0 Mar 26

The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as used in GnuTLS before 3.0.16 and other pr

CVE-2017-5334 CRITICAL
9.8 Mar 24

Double free vulnerability in the gnutls_x509_ext_import_proxy function in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 al

CVE-2012-1573 MEDIUM POC
5.0 Mar 26

gnutls_cipher.c in libgnutls in GnuTLS before 2.12.17 and 3.x before 3.0.15 does not properly handle data encrypted with

CVE-2017-5336 CRITICAL
9.8 Mar 24

Stack-based buffer overflow in the cdk_pk_get_keyid function in lib/opencdk/pubkey.c in GnuTLS before 3.3.26 and 3.5.x b

Share

CVE-2018-10845 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy