CVE-2023-45287 – This CVE describes a timing side-channel vulner... (How to Fix)

Q: What is the severity of CVE-2023-45287?

CVE-2023-45287 has a CVSS score of 7.5 (HIGH). This CVE describes a timing side-channel vulnerability in Go's RSA-based TLS key exchange implementation prior to version 1.20. Attackers could potentially recover session key bits by analyzing timing differences during PKCS#1 padding removal. This affects any application using Go's crypto/tls library with RSA key exchange for TLS connections.

📋 TL;DR

This CVE describes a timing side-channel vulnerability in Go's RSA-based TLS key exchange implementation prior to version 1.20. Attackers could potentially recover session key bits by analyzing timing differences during PKCS#1 padding removal. This affects any application using Go's crypto/tls library with RSA key exchange for TLS connections.

💻 Affected Systems

Products:

Go programming language
Applications built with Go

Versions: All versions before Go 1.20

Operating Systems: All platforms running Go applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects TLS connections using RSA key exchange. ECDHE and other key exchanges are not vulnerable.

📦 What is this software?

Go by Golang

View all CVEs affecting Go →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of TLS session keys, allowing decryption of encrypted communications and potential man-in-the-middle attacks

🟠

Likely Case

Partial key recovery requiring sophisticated timing analysis and repeated connections to the same server

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring for unusual connection patterns

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: HIGH

Exploitation requires precise timing measurements and multiple TLS handshake attempts. The MARVIN attack demonstrates the theoretical vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.20 or later

Vendor Advisory: https://groups.google.com/g/golang-announce/c/QMK8IQALDvA

Restart Required: Yes

Instructions:

1. Upgrade Go installation to version 1.20 or later. 2. Recompile all Go applications with the updated Go version. 3. Restart all Go-based services and applications.

🔧 Temporary Workarounds

Disable RSA key exchange

all

Configure TLS to use ECDHE or other non-RSA key exchange methods

// In Go code, configure TLS config with: tls.Config{CipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384}}

🧯 If You Can't Patch

Implement network-level protections like TLS inspection and intrusion detection
Segment affected systems and limit exposure to untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check Go version with 'go version'. If output shows version less than 1.20, system is vulnerable

Check Version:

go version

Verify Fix Applied:

Verify Go version is 1.20 or later and applications have been recompiled with the new version

📡 Detection & Monitoring

Log Indicators:

Unusual number of TLS handshake failures
Multiple rapid connection attempts to the same service

Network Indicators:

High volume of TLS connections with RSA key exchange
Unusual timing patterns in TLS handshakes

SIEM Query:

source="tls_logs" AND (event="handshake_failure" OR event="connection_reset") | stats count by src_ip dest_ip

📊 Metadata

CVE ID: CVE-2023-45287

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-203

Published: December 5, 2023

Last Updated: November 21, 2024

🔗 References

https://go.dev/cl/326012/26 Issue Tracking
https://go.dev/issue/20654 Issue Tracking
https://groups.google.com/g/golang-announce/c/QMK8IQALDvA Mailing List,Release Notes
https://people.redhat.com/~hkario/marvin/ Third Party Advisory
https://pkg.go.dev/vuln/GO-2023-2375 Vendor Advisory
https://security.netapp.com/advisory/ntap-20240112-0005/
https://go.dev/cl/326012/26 Issue Tracking
https://go.dev/issue/20654 Issue Tracking
https://groups.google.com/g/golang-announce/c/QMK8IQALDvA Mailing List,Release Notes
https://people.redhat.com/~hkario/marvin/ Third Party Advisory
https://pkg.go.dev/vuln/GO-2023-2375 Vendor Advisory
https://security.netapp.com/advisory/ntap-20240112-0005/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-45287, you might also want to check these: