Vulnerability DatabaseCVE-2024-0553

CVE-2024-0553:
NixOS vulnerability analysis and mitigation

Overview

CVE-2024-0553 is a vulnerability discovered in GnuTLS that affects the RSA-PSK key exchange implementation. The vulnerability was identified as an incomplete fix for CVE-2023-5981, where response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue was disclosed on January 16, 2024, and affects GnuTLS versions prior to 3.8.3 (GnuTLS Release).

Technical details

The vulnerability is a timing side-channel attack in the RSA-PSK key exchange implementation. When tested with affected versions, after collecting 203M measurements per probe on an aarch64 platform, definite side-channel signals were detected with a Friedman test p-value of 3.410443646538283e-25, indicating the implementation was vulnerable. The CVSS v3.1 base score for this vulnerability is 7.5 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) (Red Hat CVE).

Impact

Successful exploitation of this vulnerability could allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data (NVD).

Mitigation and workarounds

The vulnerability has been fixed in GnuTLS version 3.8.3. Users are advised to upgrade to this version or later. Various Linux distributions have released security updates to address this vulnerability, including Red Hat Enterprise Linux, Fedora, and Debian (Red Hat Advisory, Debian Advisory).

Additional resources

Source: This report was generated using AI

7.5

Score

Published January 16, 2024

Severity HIGH

CNA Score 7.5

Affected Technologies

NixOS
GnuTLS

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 76.3

Exploitation Probability (EPSS) 1

Affected packages and libraries

gnutls-dane
gnutls-devel

Sources

AlmaLinux Security Advisory
- AlmaLinux 8 Severity MEDIUMHas FixAdded at: Feb 01, 2024
- AlmaLinux 9 Severity MEDIUMHas FixAdded at: Jan 30, 2024
Alpine Security Tracker
- Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17 Severity HIGHHas FixAdded at: Jan 28, 2024
- Alpine 3.18, 3.19, edge Severity HIGHHas FixAdded at: Jan 21, 2024
- Alpine 3.20 Severity HIGHHas FixAdded at: May 26, 2024
- Alpine 3.21 Severity HIGHHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity HIGHHas FixAdded at: Jun 01, 2025
CBL-Mariner
- CBL-Mariner 2.0 Severity HIGHHas FixAdded at: Nov 06, 2024
- CBL-Mariner 3.0 Severity HIGHHas FixAdded at: May 04, 2025
Container-Optimized OS Release Notes
- Container-Optimized OS Severity HIGHHas FixAdded at: Feb 14, 2024
Debian Security Tracker
- Debian 10 Severity HIGHHas FixAdded at: Jan 23, 2024
- Debian 11 Severity HIGHHas FixAdded at: Mar 03, 2024
- Debian 12, 13 Severity HIGHHas FixAdded at: Jan 21, 2024
Homebrew
- Homebrew Severity HIGHHas FixAdded at: Feb 12, 2024
Nix
- Nix Severity HIGHHas FixAdded at: Jan 25, 2024
Photon Security Advisory
- Photon 3.0 Severity HIGHHas FixAdded at: Feb 04, 2024
- Photon 4.0, 5.0 Severity HIGHHas FixAdded at: Feb 06, 2024
Red Hat Errata
- Red Hat 6, 7 Severity MEDIUMNo FixAdded at: Jan 21, 2024
- Red Hat 8 Severity MEDIUMHas FixAdded at: Jan 21, 2024
- Red Hat 9 Severity MEDIUMHas FixAdded at: Jan 21, 2024
Ubuntu Security Tracker
- Ubuntu 20.04, 22.04, 23.04, 23.10 Severity MEDIUMHas FixAdded at: Jan 21, 2024
- Ubuntu 24.04 Severity MEDIUMHas FixAdded at: May 06, 2024
- Ubuntu 24.10 Severity MEDIUMHas FixAdded at: Dec 10, 2024
- Ubuntu 25.04 Severity MEDIUMHas FixAdded at: May 08, 2025
NVD
- Linux Severity HIGHHas FixAdded at: Jul 15, 2024