Skip to content

s2n-tls has a potentially observable differences in RSA premaster secret handling

Low severity GitHub Reviewed Published Jun 5, 2024 in aws/s2n-tls • Updated Jun 6, 2024

Package

cargo s2n-tls (Rust)

Affected versions

<= 0.2.6

Patched versions

0.2.7

Description

When receiving a message from a client that sent an invalid RSA premaster secret, an issue in s2n-tls results in the server performing additional processing when the premaster secret contains an incorrect client hello version. While no practical attack on s2n-tls has been demonstrated, this causes a small timing difference which could theoretically be used as described in the Marvin Attack [1].

We would like to thank Hubert Kario [2] for reporting this issue.

Impact

The extent of this issue is a timing difference. No practical attack on s2n-tls has been demonstrated.

This issue affects server applications that permit RSA key exchange. Applications that use the default, built-in blinding feature or properly implement self-service blinding are not affected.

Impacted versions: <= v1.4.15.

Patches

The patch is included in v1.4.16 [3].

Workarounds

Applications can work around this issue by using an s2n-tls security policy that disallows RSA key exchange.

If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [4] or directly via email to [email protected]. Please do not create a public GitHub issue.

[1] https://people.redhat.com/~hkario/marvin/
[2] https://github.com/tomato42
[3] https://github.com/aws/s2n-tls/releases/tag/v1.4.16
[4] https://aws.amazon.com/security/vulnerability-reporting

References

@dougch dougch published to aws/s2n-tls Jun 5, 2024
Published to the GitHub Advisory Database Jun 6, 2024
Reviewed Jun 6, 2024
Last updated Jun 6, 2024

Severity

Low

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-52xf-5p2m-9wrv

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.