CVE-2024-0553
CVE Details
Visit the official vulnerability details page for CVE-2024-0553 to learn more.
Initial Publication
11/13/2024
Last Update
12/12/2024
Third Party Dependency
libgnutls30
NIST CVE Summary
A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.
CVE Severity
Our Official Summary
This vulnerability in GnuTLS, presents a moderate severity concern due to its potential for facilitating timing side-channel attacks in RSA-PSK ciphersuites. The images where this vulnerability is have controls in place are not accessible outside the cluster. So the attacker needs to gain privileged access to the cluster to attempt this exploit. Also the containers do not allow execution of arbitrary code. Impact of this exploit is also low, since container reduces the attack surface.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.4.20 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
Revision History
| Date | Revision |
|---|---|
| 12/12/2024 | Official summary added |