Use of a Broken or Risky Cryptographic Algorithm

Affecting gnutls28 package, versions <3.5.18-1ubuntu1.1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets.

References

CVSS Score

5.9
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE
CVE-2018-10844
CWE
CWE-327 CWE-385
Snyk ID
SNYK-UBUNTU1804-GNUTLS28-340605
Disclosed
22 Aug, 2018
Published
25 Sep, 2018