Is CVE-2023-0361 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 1%.

What products does CVE-2023-0361 affect?

Tracked products affected include GnuTLS. Check the version you run to see whether it is affected.

How do I fix CVE-2023-0361?

Apply the vendor fix promptly. An official patch or advisory is available. Upgrade affected products to a fixed version.

← All products

CVE-2023-0361

Q: What is CVE-2023-0361?

CVE-2023-0361 is a high-severity software vulnerability (CWE-203) with a CVSS score of 7.4. A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To a

HIGH severity · CVSS 7.4 · CWE-203

7.4CVSS HIGH

Summary

A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.

Impact & exploitability

Attack vectorNetwork

Attack complexityHigh

Privileges requiredNone

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactNone

Exploit probability (EPSS)1%

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected products we track (1)

GnuTLS

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: https://github.com/tlsfuzzer/tlsfuzzer/pull/679 ↗

CVE-2023-0361

Summary

Impact & exploitability

Affected products we track (1)

Recommendation

Additional information