CVE-2024-0553: Gnutls: incomplete fix for cve-2023-5981
Description
A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.
Classification
CVE ID: CVE-2024-0553
Problem Types
Observable DiscrepancyAffected Products
Vendor: , Red Hat
Product: , Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 8.6 Extended Update Support, Red Hat Enterprise Linux 8.8 Extended Update Support, Red Hat Enterprise Linux 9, Red Hat Enterprise Linux 9.2 Extended Update Support, RHODF-4.15-RHEL-9, RHOL-5.8-RHEL-9, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7
Exploit Prediction Scoring System (EPSS)
EPSS Score: 1.03% (probability of being exploited)
EPSS Percentile: 76.31% (scored less or equal to compared to others)
EPSS Date: 2025-06-30 (when was this score calculated)
Stakeholder-Specific Vulnerability Categorization (SSVC)
SSVC Exploitation: none
SSVC Technical Impact: partial
SSVC Automatable: true
References
https://nvd.nist.gov/vuln/detail/CVE-2024-0553https://access.redhat.com/errata/RHSA-2024:0533
https://access.redhat.com/errata/RHSA-2024:0627
https://access.redhat.com/errata/RHSA-2024:0796
https://access.redhat.com/errata/RHSA-2024:1082
https://access.redhat.com/errata/RHSA-2024:1108
https://access.redhat.com/errata/RHSA-2024:1383
https://access.redhat.com/errata/RHSA-2024:2094
https://access.redhat.com/security/cve/CVE-2024-0553
https://bugzilla.redhat.com/show_bug.cgi?id=2258412
https://gitlab.com/gnutls/gnutls/-/issues/1522
https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html