DBSA:2014-0006
Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Contents
Digibase Security Advisory - GnuTLS TLS/SSL Vulnerability
Keywords: SSL, TLS, Vulnerability, Data Exposure, HTTPS, GNU
DBSA ID: 2014-0006
Regarding: GnuTLS TLS/SSL Vulnerability
Writeup: LazloPsylus (talk) 01:35, 6 March 2014 (EST)
Date: 2014 03 06
Last Modified: 20140306030859 by Kradorex Xeron
Who should take note: GNU software users and administrators
Classification
Priority: HIGH
Rationale: Information may be disclosed without immediate reaction
Severity: HIGH
Rationale: Trusted encrypted connections may be at risk
Spread of Issue: MULTI-PLATFORM HIGH
Rationale: Affects all software that links against GnuTLS, regardless of platform or system.
Description
GnuTLS is an LGPL-licensed implementation of the SSL, TLS, and DTLS protocols for use by various applications to enable secure, encrypted communications. A vulnerability has been identified via an audit by Red Hat that incorrectly handles version 1 X.509 certificates, allowing malicious users with access to a valid certificate to issue certificates for other sites that GnuTLS would incorrectly accept as valid. This can be leveraged in numerous ways to compromise information thought to be protected by encryption.
- All versions of GnuTLS prior to 3.2.12 are vulnerable.
Effected software would include network connectivity and encryption, such as web browsers, FTP clients or IRC clients. Utilizing a search engine with the keywords "<software name> GnuTLS" can help determine if a software package is related to GnuTLS.
For further technical information, refer to CVE-2014-0092
Mitigation/Solution
All users are strongly advised to update their GnuTLS libraries if possible, and avoid using software utilizing any vulnerable version of GnuTLS until such software is updated to resolve the vulnerability.
Users of software bundled with the vulnerable library are advised to contact their software vendors to obtain an updated software package with the patched library.