First published: Tue Mar 12 2024(Updated: )
A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
ubuntu/gnutls28 | <3.6.13-2ubuntu1.11 | 3.6.13-2ubuntu1.11 |
ubuntu/gnutls28 | <3.7.3-4ubuntu1.5 | 3.7.3-4ubuntu1.5 |
ubuntu/gnutls28 | <3.8.1-4ubuntu1.3 | 3.8.1-4ubuntu1.3 |
ubuntu/gnutls28 | <3.8.3-1.1ubuntu3.1 | 3.8.3-1.1ubuntu3.1 |
debian/gnutls28 | <=3.7.1-5+deb11u4<=3.7.1-5+deb11u3<=3.7.9-2+deb12u2 | 3.6.7-4+deb10u8 3.6.7-4+deb10u12 3.8.5-4 |
redhat/gnutls | <3.8.4 | 3.8.4 |
IBM Security Verify Governance, Identity Manager software component | <=ISVG 10.0.2 | |
IBM Security Verify Governance, Identity Manager virtual appliance component | <=ISVG 10.0.2 | |
F5 Traffix Systems Signaling Delivery Controller | =5.2.0=5.1.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2024-28834 has been classified as a significant cryptographic vulnerability due to its potential for side-channel attacks.
To fix CVE-2024-28834, upgrade to GnuTLS versions 3.6.13-2ubuntu1.11 or later for Ubuntu, or to appropriate versions provided by other distributions like Debian and Red Hat.
CVE-2024-28834 affects various GnuTLS implementations across different platforms, including specific versions on Ubuntu, Debian, and Red Hat.
If exploited, CVE-2024-28834 can lead to information leakage through side-channel attacks, potentially compromising sensitive data.
Currently, the best approach for CVE-2024-28834 is to update to the latest GnuTLS versions, as no specific workarounds are recommended.