CVE-2023-0361 Overview
A timing side-channel vulnerability was discovered in GnuTLS affecting the handling of RSA ClientKeyExchange messages during TLS handshakes. This vulnerability enables a Bleichenbacher-style attack where an adversary can exploit subtle timing differences in cryptographic operations to recover the secret key encrypted in the RSA ciphertext across a network connection.
The attack requires sending a large volume of specially crafted messages to the vulnerable server. By successfully recovering the secret from the ClientKeyExchange message, an attacker can decrypt all application data exchanged over that TLS connection, completely compromising the confidentiality and integrity of encrypted communications.
Critical Impact
Successful exploitation allows complete decryption of TLS-protected communications, enabling attackers to intercept sensitive data including credentials, session tokens, and confidential application data transmitted over affected connections.
Affected Products
- GNU GnuTLS (including version 3.6.8-11.el8_2)
- Red Hat Enterprise Linux 8.0 and 9.0
- Debian Linux 10.0
- Fedora 36, 37, and 38
- NetApp Active IQ Unified Manager (VMware vSphere)
- NetApp Converged Systems Advisor Agent
- NetApp ONTAP Select Deploy Administration Utility
Discovery Timeline
- February 15, 2023 - CVE-2023-0361 published to NVD
- March 19, 2025 - Last updated in NVD database
Technical Details for CVE-2023-0361
Vulnerability Analysis
This vulnerability represents a classic timing side-channel attack targeting RSA key exchange operations in the TLS protocol. The flaw exists in how GnuTLS processes RSA-encrypted ClientKeyExchange messages, where the cryptographic implementation leaks timing information that correlates with the validity of PKCS#1 v1.5 padding.
In a proper RSA-OAEP or constant-time PKCS#1 implementation, the server should take the same amount of time to process both valid and invalid ciphertexts. However, the vulnerable GnuTLS implementation exhibits measurable timing differences depending on how far the decryption process progresses before detecting padding errors. These timing variations, though subtle, can be measured across network connections and exploited through statistical analysis.
The attack methodology follows the Bleichenbacher adaptive chosen-ciphertext attack pattern, first described in 1998. An attacker systematically sends malformed RSA ciphertexts and observes the server's response times. By analyzing these timing differences across thousands or millions of queries, the attacker can progressively narrow down the possible values of the encrypted pre-master secret until full recovery is achieved.
Root Cause
The root cause is a non-constant-time implementation in the RSA decryption path within GnuTLS. Specifically, the code handling PKCS#1 v1.5 padding verification during RSA ClientKeyExchange processing exhibits data-dependent timing behavior (CWE-203: Observable Discrepancy). When processing RSA ciphertexts, different code paths are taken based on the padding structure, and these paths have measurably different execution times that leak information about the decryption state.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker positioned to intercept TLS traffic and communicate with the target server can execute this attack by:
- Capturing a legitimate TLS handshake containing an RSA-encrypted ClientKeyExchange message
- Sending a large number of modified versions of this ciphertext to the server
- Measuring server response times with high precision to detect timing variations
- Using statistical analysis to correlate timing differences with padding oracle responses
- Iteratively recovering the pre-master secret through adaptive queries
- Deriving the session keys and decrypting the captured application data
The attack requires significant computational resources and network access, but is feasible for a determined adversary targeting high-value communications. The vulnerability affects TLS connections using RSA key exchange cipher suites.
Detection Methods for CVE-2023-0361
Indicators of Compromise
- Unusually high volumes of TLS handshake failures or RSA decryption errors from a single source IP
- Repeated connection attempts with malformed ClientKeyExchange messages in TLS logs
- Statistical anomalies in TLS handshake timing patterns indicating probing activity
- Network traffic showing thousands of similar TLS connections in rapid succession to the same server
Detection Strategies
- Monitor TLS server logs for elevated rates of handshake failures specifically during RSA key exchange
- Implement network-level detection for high-frequency TLS connection attempts from single sources
- Deploy intrusion detection signatures that identify Bleichenbacher attack patterns in TLS traffic
- Analyze connection timing histograms for evidence of systematic timing measurement attempts
Monitoring Recommendations
- Enable detailed TLS handshake logging on servers using GnuTLS to capture ClientKeyExchange processing events
- Configure SIEM rules to alert on threshold violations for TLS handshake error rates
- Implement rate limiting on TLS handshakes to slow potential timing attacks
- Monitor for reconnaissance activity targeting TLS configuration endpoints
How to Mitigate CVE-2023-0361
Immediate Actions Required
- Update GnuTLS to the latest patched version available from your distribution's package repository
- Apply vendor-specific security patches from Red Hat, Debian, Fedora, or NetApp as applicable
- Consider disabling RSA key exchange cipher suites in favor of ECDHE-based alternatives
- Audit TLS configurations to ensure modern cipher suite ordering that deprioritizes RSA key exchange
Patch Information
Security patches addressing this vulnerability are available from multiple vendors. For Red Hat systems, refer to the Red Hat CVE-2023-0361 Advisory. Debian users should consult the Debian LTS Security Announcement. Fedora updates are available through the standard package management system. NetApp has released advisories NTAP-20230324-0005 and NTAP-20230725-0005 for affected products. The upstream fix details can be found in the GnuTLS Issue #1050.
Workarounds
- Disable RSA key exchange cipher suites entirely by configuring TLS to use only ECDHE-based key exchange
- Implement network-level rate limiting for TLS connections to increase attack difficulty
- Use forward-secrecy cipher suites exclusively to limit the impact of any key compromise
- Consider deploying a TLS-terminating reverse proxy with a patched TLS implementation in front of vulnerable servers
# GnuTLS priority string to disable RSA key exchange (use ECDHE only)
# Add to application configuration or GnuTLS config file
PRIORITY="NORMAL:-RSA:-DHE-RSA:+ECDHE-RSA:+ECDHE-ECDSA"
# For system-wide GnuTLS configuration on RHEL/Fedora
# Edit /etc/crypto-policies/back-ends/gnutls.config or use:
update-crypto-policies --set FUTURE
# Verify cipher suites exclude plain RSA key exchange
gnutls-cli --priority "$PRIORITY" --list
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
