SUSE update for gnutls



Published: 2023-12-28
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2023-5981
CWE-ID CWE-208
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		SUSE Linux Enterprise Micro for Rancher
Operating systems & Components / Operating system

SUSE Linux Enterprise Server for SAP Applications 15
Operating systems & Components / Operating system

SUSE Linux Enterprise Server 15 SP3 LTSS
Operating systems & Components / Operating system

SUSE Linux Enterprise Server 15
Operating systems & Components / Operating system

SUSE Linux Enterprise Server 15 SP2 LTSS
Operating systems & Components / Operating system

SUSE Linux Enterprise High Performance Computing LTSS 15
Operating systems & Components / Operating system

SUSE Linux Enterprise High Performance Computing ESPOS 15
Operating systems & Components / Operating system

SUSE Linux Enterprise High Performance Computing 15
Operating systems & Components / Operating system

SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS
Operating systems & Components / Operating system

SUSE Enterprise Storage
Operating systems & Components / Operating system

SUSE Linux Enterprise Micro
Operating systems & Components / Operating system

libgnutls-devel-32bit
Operating systems & Components / Operating system package or component

libgnutls30-hmac-32bit
Operating systems & Components / Operating system package or component

libgnutls30-32bit-debuginfo
Operating systems & Components / Operating system package or component

libgnutls30-32bit
Operating systems & Components / Operating system package or component

libgnutls30-hmac
Operating systems & Components / Operating system package or component

libgnutls30
Operating systems & Components / Operating system package or component

gnutls-debugsource
Operating systems & Components / Operating system package or component

gnutls-debuginfo
Operating systems & Components / Operating system package or component

libgnutlsxx28-debuginfo
Operating systems & Components / Operating system package or component

libgnutls-devel
Operating systems & Components / Operating system package or component

libgnutlsxx28
Operating systems & Components / Operating system package or component

libgnutls30-debuginfo
Operating systems & Components / Operating system package or component

gnutls
Operating systems & Components / Operating system package or component

libgnutlsxx-devel
Operating systems & Components / Operating system package or component

Vendor SUSE

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Information Exposure Through Timing Discrepancy

EUVDB-ID: #VU83316

Risk: Medium

CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-5981

CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform timing attack.

The vulnerability exists due to the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. A remote attacker can perform timing sidechannel attack in RSA-PSK key exchange.

Mitigation

Update the affected package gnutls to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Micro for Rancher: 5.2

SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP3

SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3

SUSE Linux Enterprise Server 15: SP2 - SP3

SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2

SUSE Linux Enterprise High Performance Computing LTSS 15: SP3

SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3

SUSE Linux Enterprise High Performance Computing 15: SP2 - SP3

SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2

SUSE Enterprise Storage: 7.1

SUSE Linux Enterprise Micro: 5.1 - 5.2

libgnutls-devel-32bit: before 3.6.7-150200.14.28.1

libgnutls30-hmac-32bit: before 3.6.7-150200.14.28.1

libgnutls30-32bit-debuginfo: before 3.6.7-150200.14.28.1

libgnutls30-32bit: before 3.6.7-150200.14.28.1

libgnutls30-hmac: before 3.6.7-150200.14.28.1

libgnutls30: before 3.6.7-150200.14.28.1

gnutls-debugsource: before 3.6.7-150200.14.28.1

gnutls-debuginfo: before 3.6.7-150200.14.28.1

libgnutlsxx28-debuginfo: before 3.6.7-150200.14.28.1

libgnutls-devel: before 3.6.7-150200.14.28.1

libgnutlsxx28: before 3.6.7-150200.14.28.1

libgnutls30-debuginfo: before 3.6.7-150200.14.28.1

gnutls: before 3.6.7-150200.14.28.1

libgnutlsxx-devel: before 3.6.7-150200.14.28.1

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20234986-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###