CVE-2023-32342: IBM GSKit Remote Attackers Could Obtain Sensitive Information Through RSA Decryption Side Channel

IBM has reported a new vulnerability within their GSKit library, which is commonly used in software utilizing cryptographic functions. Tracked as CVE-2023-32342, this vulnerability allows remote attackers to obtain sensitive information by exploiting a timing-based side channel in the RSA Decryption implementation. IBM X-Force ID for this vulnerability is 255828.

The Vulnerability

The RSA Decryption side channel in IBM's GSKit library could enable remote attackers to acquire sensitive information due to a timing-based side channel vulnerability. The attacker accomplishes this by transmitting a large number of trial messages for decryption, which makes it possible to extract sensitive data.

Affected Products

The GSKit library from IBM, featured in many of their main cryptographic applications, is affected by this vulnerability. Some commonly used software products employing the library include:

IBM Tivoli® Directory Integrator (TDI)

Users of these software products or others that utilize the GSKit library may be at risk from the CVE-2023-32342 vulnerability based on the specific version in use. To identify the version number of your GSKit installation, consult the vlog_disp.log, typically located in the logs folder for your GSKit installation.

The Exploit

To better understand how this vulnerability could be exploited, let's consider an example scenario. An attacker sends thousands of trial messages to the victim's server and records the amount of time the server spends decrypting each message.

In this example, let's assume our victims are using a vulnerable version of the IBM GSKit linked with the RSA Decryption side-channel vulnerability. The attacker sends trial messages with different payload (input) sizes, then records how the time spent on decrypting it.

import time
from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes

# Attacker sends a large number of encrypted trial messages
trial_messages = [get_random_bytes(256) for _ in range(10000)]

def decryption_timing(trial_message):
	start_time = time.time()
	rsa_key.decrypt(trial_message)
	return time.time() - start_time

decryption_times = [decryption_timing(msg) for msg in trial_messages]

Once the attacker has recorded the decryption times, they can analyze the data to determine a pattern in the server's behavior. If the attacker is able to establish a correlation between certain input data and the time spent on decryption, sensitive information, such as the private RSA key, may be exposed.

Mitigation

IBM has recognized the severity of this vulnerability and issued an official security bulletin to address the issue. Users are urged to apply the latest patches provided for products utilizing the GSKit library.

- Official IBM Security Bulletin
- IBM X-Force Exchange: CVE-2023-32342
- National Vulnerability Database Entry

Conclusion

CVE-2023-32342 is a critical vulnerability exposing private information to remote attackers by exploiting a timing-based side channel in the RSA Decryption implementation of IBM's GSKit library. Users are strongly encouraged to keep their GSKit installations updated to the latest version and to monitor their systems for any signs of exploitation.

Timeline

Published on: 05/30/2023 22:15:00 UTC
Last modified on: 06/06/2023 18:18:00 UTC