Use of a Broken or Risky Cryptographic Algorithm

Affecting gnutls28 package, versions <3.5.18-1ubuntu1.1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

It was found that the GnuTLS implementation of HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets.

References

CVSS Score

5.9
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE
CVE-2018-10845
CWE
CWE-327 CWE-385
Snyk ID
SNYK-UBUNTU1804-GNUTLS28-340591
Disclosed
22 Aug, 2018
Published
25 Sep, 2018