CVE-2018-10844

Published: 8/22/2018 Last updated: 8/5/2024 Reserved: 5/9/2018

It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets.

CNA assigner: redhat (53f830b8-0a3f-465b-8143-3b8a9948e749) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.0	5.9	Medium	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Opam packages affected (5)

conf-gnutls conf-mingw-w64-gnutls-i686 conf-mingw-w64-gnutls-x86_64 conf-srt conf-srt-gnutls

Products affected (1)

Product	Vendor	Version
gnutls	[UNKNOWN]	<= 0.1.12

References (20)

https://eprint.iacr.org/2018/747
https://gitlab.com/gnutls/gnutls/merge_requests/657
https://access.redhat.com/errata/RHSA-2018:3505
http://www.securityfocus.com/bid/105138
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10844
https://access.redhat.com/errata/RHSA-2018:3050
https://lists.debian.org/debian-lts-announce/2018/10/msg00022.html
https://usn.ubuntu.com/3999-1/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WDYY3R4F5CUTFAMXH2C5NKYFVDEJLTT7/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ILMOWPKMTZAIMK5F32TUMO34XCABUCFJ/
https://eprint.iacr.org/2018/747
https://gitlab.com/gnutls/gnutls/merge_requests/657
https://access.redhat.com/errata/RHSA-2018:3505
http://www.securityfocus.com/bid/105138
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10844
https://access.redhat.com/errata/RHSA-2018:3050
https://lists.debian.org/debian-lts-announce/2018/10/msg00022.html
https://usn.ubuntu.com/3999-1/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WDYY3R4F5CUTFAMXH2C5NKYFVDEJLTT7/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ILMOWPKMTZAIMK5F32TUMO34XCABUCFJ/