DBSA:2014-0006

From Digibase Knowledge Base
Jump to: navigation, search

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - GnuTLS TLS/SSL Vulnerability

Keywords: SSL, TLS, Vulnerability, Data Exposure, HTTPS, GNU

DBSA ID: 2014-0006

Regarding: GnuTLS TLS/SSL Vulnerability

Writeup: LazloPsylus (talk) 01:35, 6 March 2014 (EST)

Date: 2014 03 06

Last Modified: 20140306030859 by Kradorex Xeron

Who should take note: GNU software users and administrators

Classification

Priority: HIGH

Rationale: Information may be disclosed without immediate reaction

Severity: HIGH

Rationale: Trusted encrypted connections may be at risk

Spread of Issue: MULTI-PLATFORM HIGH

Rationale: Affects all software that links against GnuTLS, regardless of platform or system.

Description

GnuTLS is an LGPL-licensed implementation of the SSL, TLS, and DTLS protocols for use by various applications to enable secure, encrypted communications. A vulnerability has been identified via an audit by Red Hat that incorrectly handles version 1 X.509 certificates, allowing malicious users with access to a valid certificate to issue certificates for other sites that GnuTLS would incorrectly accept as valid. This can be leveraged in numerous ways to compromise information thought to be protected by encryption.

  • All versions of GnuTLS prior to 3.2.12 are vulnerable.

Effected software would include network connectivity and encryption, such as web browsers, FTP clients or IRC clients. Utilizing a search engine with the keywords "<software name> GnuTLS" can help determine if a software package is related to GnuTLS.

For further technical information, refer to CVE-2014-0092

Mitigation/Solution

All users are strongly advised to update their GnuTLS libraries if possible, and avoid using software utilizing any vulnerable version of GnuTLS until such software is updated to resolve the vulnerability.

Users of software bundled with the vulnerable library are advised to contact their software vendors to obtain an updated software package with the patched library.


References