CVE-2018-10844

It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets.
Configurations

Configuration 1 (hide)

cpe:2.3:a:gnu:gnutls:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

Configuration 5 (hide)

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

History

13 Feb 2023, 04:50

Type Values Removed Values Added
Summary It was found that GnuTLS's implementation of HMAC-SHA-256 was vulnerable to Lucky Thirteen-style attack. A remote attacker could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets. It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets.
References
  • {'url': 'https://access.redhat.com/security/cve/CVE-2018-10844', 'name': 'https://access.redhat.com/security/cve/CVE-2018-10844', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://bugzilla.redhat.com/show_bug.cgi?id=1582571', 'name': 'https://bugzilla.redhat.com/show_bug.cgi?id=1582571', 'tags': [], 'refsource': 'MISC'}
CWE CWE-327 CWE-385

02 Feb 2023, 16:18

Type Values Removed Values Added
Summary It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets. It was found that GnuTLS's implementation of HMAC-SHA-256 was vulnerable to Lucky Thirteen-style attack. A remote attacker could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets.
References
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ILMOWPKMTZAIMK5F32TUMO34XCABUCFJ/', 'name': 'FEDORA-2020-d14280a6e8', 'tags': ['Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WDYY3R4F5CUTFAMXH2C5NKYFVDEJLTT7/', 'name': 'FEDORA-2020-f90fb78f70', 'tags': ['Third Party Advisory'], 'refsource': 'FEDORA'}
  • (MISC) https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ILMOWPKMTZAIMK5F32TUMO34XCABUCFJ/ -
  • (MISC) https://access.redhat.com/security/cve/CVE-2018-10844 -
  • (MISC) https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WDYY3R4F5CUTFAMXH2C5NKYFVDEJLTT7/ -
  • (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1582571 -

Information

Published : 2018-08-22 13:29

Updated : 2023-12-10 12:44


NVD link : CVE-2018-10844

Mitre link : CVE-2018-10844

CVE.ORG link : CVE-2018-10844


JSON object : View

Products Affected

redhat

  • enterprise_linux_desktop
  • enterprise_linux_workstation
  • enterprise_linux_server

debian

  • debian_linux

canonical

  • ubuntu_linux

gnu

  • gnutls

fedoraproject

  • fedora
CWE
CWE-385

Covert Timing Channel

CWE-327

Use of a Broken or Risky Cryptographic Algorithm