SUSE update for gnutls

Published: 2023-12-28

Risk	Medium
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2023-5981
CWE-ID	CWE-208
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	SUSE Linux Enterprise Micro Operating systems & Components / Operating system openSUSE Leap Micro Operating systems & Components / Operating system Basesystem Module Operating systems & Components / Operating system SUSE Linux Enterprise Micro for Rancher Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Applications 15 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 Operating systems & Components / Operating system SUSE Linux Enterprise Real Time 15 Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing 15 Operating systems & Components / Operating system SUSE Linux Enterprise Desktop 15 Operating systems & Components / Operating system openSUSE Leap Operating systems & Components / Operating system SUSE Manager Retail Branch Server Operating systems & Components / Operating system SUSE Manager Server Operating systems & Components / Operating system SUSE Manager Proxy Operating systems & Components / Operating system libgnutls30-64bit-debuginfo Operating systems & Components / Operating system package or component libgnutls-devel-64bit Operating systems & Components / Operating system package or component libgnutls30-hmac-64bit Operating systems & Components / Operating system package or component libgnutls30-64bit Operating systems & Components / Operating system package or component libgnutls30-hmac-32bit Operating systems & Components / Operating system package or component libgnutls30-32bit Operating systems & Components / Operating system package or component libgnutls30-32bit-debuginfo Operating systems & Components / Operating system package or component libgnutls-devel-32bit Operating systems & Components / Operating system package or component libgnutls30-debuginfo Operating systems & Components / Operating system package or component gnutls Operating systems & Components / Operating system package or component libgnutls-devel Operating systems & Components / Operating system package or component gnutls-guile Operating systems & Components / Operating system package or component gnutls-guile-debuginfo Operating systems & Components / Operating system package or component libgnutls30 Operating systems & Components / Operating system package or component gnutls-debuginfo Operating systems & Components / Operating system package or component libgnutlsxx28-debuginfo Operating systems & Components / Operating system package or component libgnutls30-hmac Operating systems & Components / Operating system package or component gnutls-debugsource Operating systems & Components / Operating system package or component libgnutlsxx28 Operating systems & Components / Operating system package or component libgnutlsxx-devel Operating systems & Components / Operating system package or component
Vendor	SUSE

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Information Exposure Through Timing Discrepancy

EUVDB-ID: #VU83316

Risk: Medium

CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-5981

CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform timing attack.

The vulnerability exists due to the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. A remote attacker can perform timing sidechannel attack in RSA-PSK key exchange.

Mitigation

Update the affected package gnutls to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Micro: 5.4 - 5.5

openSUSE Leap Micro: 5.4

Basesystem Module: 15-SP4 - 15-SP5

SUSE Linux Enterprise Micro for Rancher: 5.4

SUSE Linux Enterprise Server for SAP Applications 15: SP4 - SP5

SUSE Linux Enterprise Server 15: SP4 - SP5

SUSE Linux Enterprise Real Time 15: SP4 - SP5

SUSE Linux Enterprise High Performance Computing 15: SP4 - SP5

SUSE Linux Enterprise Desktop 15: SP4 - SP5

openSUSE Leap: 15.4 - 15.5

SUSE Manager Retail Branch Server: 4.3

SUSE Manager Server: 4.3

SUSE Manager Proxy: 4.3

libgnutls30-64bit-debuginfo: before 3.7.3-150400.4.38.1

libgnutls-devel-64bit: before 3.7.3-150400.4.38.1

libgnutls30-hmac-64bit: before 3.7.3-150400.4.38.1

libgnutls30-64bit: before 3.7.3-150400.4.38.1

libgnutls30-hmac-32bit: before 3.7.3-150400.4.38.1

libgnutls30-32bit: before 3.7.3-150400.4.38.1

libgnutls30-32bit-debuginfo: before 3.7.3-150400.4.38.1

libgnutls-devel-32bit: before 3.7.3-150400.4.38.1

libgnutls30-debuginfo: before 3.7.3-150400.4.38.1

gnutls: before 3.7.3-150400.4.38.1

libgnutls-devel: before 3.7.3-150400.4.38.1

gnutls-guile: before 3.7.3-150400.4.38.1

gnutls-guile-debuginfo: before 3.7.3-150400.4.38.1

libgnutls30: before 3.7.3-150400.4.38.1

gnutls-debuginfo: before 3.7.3-150400.4.38.1

libgnutlsxx28-debuginfo: before 3.7.3-150400.4.38.1

libgnutls30-hmac: before 3.7.3-150400.4.38.1

gnutls-debugsource: before 3.7.3-150400.4.38.1

libgnutlsxx28: before 3.7.3-150400.4.38.1

libgnutlsxx-devel: before 3.7.3-150400.4.38.1

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20234983-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.