Use of a Broken or Risky Cryptographic Algorithm in gnutls28

Do your applications use this vulnerable package? Test your applications

Overview

A cache-based side channel in GnuTLS implementation that leads to plain text recovery in cross-VM attack setting was found. An attacker could use a combination of "Just in Time" Prime+probe attack in combination with Lucky-13 attack to recover plain text using crafted packets.

References

CONFIRM
Debian Security Announcement
Debian Security Tracker
FEDORA
FEDORA
MISC
RHSA Security Advisory
RHSA Security Advisory
RedHat Bugzilla Bug
Security Focus
Ubuntu CVE Tracker
Ubuntu Security Advisory

Attack Vector

Local
Attack Complexity

High
Privileges Required

Low
User Interaction

None
Scope

Changed
Confidentiality

High
Integrity

None
Availability

None

CVE: CVE-2018-10846
CWE: CWE-327 CWE-385
Snyk ID: SNYK-UBUNTU1604-GNUTLS28-340597
Disclosed: 22 Aug, 2018
Published: 25 Sep, 2018

Use of a Broken or Risky Cryptographic Algorithm
Affecting gnutls28 package, versions <3.4.10-4ubuntu1.5

Overview

References

CVSS Score

Use of a Broken or Risky Cryptographic Algorithm Affecting gnutls28 package, versions <3.4.10-4ubuntu1.5

Overview

References

Use of a Broken or Risky Cryptographic Algorithm
Affecting gnutls28 package, versions <3.4.10-4ubuntu1.5