Difference between revisions of "DBSA:2014-0006"

From Digibase Knowledge Base
Jump to: navigation, search
(Created page with "{{DBSAHEAD | TITLE=GnuTLS TLS/SSL Vulnerability | KEYWORDS=SSL, TLS, Vulnerability, Data Exposure, HTTPS, GNU }} '''DBSA ID:''' {{PAGENAME}} '''Regarding:''' GnuTLS TLS/SSL ...")
(No difference)

Revision as of 02:35, 6 March 2014

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - GnuTLS TLS/SSL Vulnerability

Keywords: SSL, TLS, Vulnerability, Data Exposure, HTTPS, GNU

DBSA ID: 2014-0006

Regarding: GnuTLS TLS/SSL Vulnerability

Writeup: LazloPsylus (talk) 01:35, 6 March 2014 (EST)

Date: 2014 03 06

Last Modified: 20140306023529 by LazloPsylus

Who should take note: GNU software users and administrators

Classification

Priority: HIGH

Rationale: Information may be disclosed without immediate reaction

Severity: HIGH

Rationale: Trusted encrypted connections may be at risk

Spread of Issue: MULTI-PLATFORM HIGH

Rationale: Affects all software that links against GnuTLS, regardless of platform or system.

Description

GnuTLS is an LGPL-licensed implementation of the SSL, TLS, and DTLS protocols for use by various applications to enable secure, encrypted communications. A vulnerability has been identified via an audit by Red Hat that incorrectly handles version 1 X.509 certificates, allowing malicious users with access to a valid certificate to issue certificates for other sites that GnuTLS would incorrectly accept as valid. This can be leveraged in numerous ways to compromise information thought to be protected by encryption.

  • All versions of GnuTLS prior to 3.2.12 are vulnerable.

For further technical information, refer to CVE-2014-0092

Mitigation/Solution

All users are strongly advised to update their GnuTLS libraries if possible, and avoid using software utilizing any vulnerable version of GnuTLS until such software is updated to resolve the vulnerability.

References