Tag Other identifiers Description Information

GNUTLS-SA-2017-4 Crash It was found using the TLS fuzzer tools that decoding a status response TLS extension with valid contents could lead to a crash due to a null pointer dereference. The issue affects GnuTLS server applications. The issue was fixed in 3.5.13. Recommendation: To address the issues found upgrade to GnuTLS 3.5.13 or later versions.

GNUTLS-SA-2017-3 CVE-2017-7869 Memory corruption It was found using the OSS-FUZZ fuzzer infrastructure that decoding a specially crafted OpenPGP certificates could lead to (A) an integer overflow, resulting to an invalid memory write, (B) a null pointer dereference resulting to a server crash, and (C) a large allocation, resulting to a server out-of-memory condition. These affect only applications which utilize the OpenPGP certificate functionality of GnuTLS. The issues were fixed in 3.5.10. Recommendation: The support of OpenPGP certificates in GnuTLS is considered obsolete. As such, it is not recommended to use OpenPGP certificates with GnuTLS. To address the issues found upgrade to GnuTLS 3.5.10 or later versions.

GNUTLS-SA-2017-2 CVE-2017-5335 CVE-2017-5336 CVE-2017-5337 Memory corruption It was found using the OSS-FUZZ fuzzer infrastructure that decoding a specially crafted OpenPGP certificate could lead to heap and stack overflows. This affects only applications which utilize the OpenPGP certificate functionality of GnuTLS. This issue was fixed in GnuTLS 3.3.26 and 3.5.8. Recommendation: The support of OpenPGP certificates in GnuTLS is considered obsolete. As such, it is not recommended to use OpenPGP certificates with GnuTLS. To address the issues found upgrade to GnuTLS 3.3.26, 3.5.8 or later versions.

GNUTLS-SA-2017-1 CVE-2017-5334 Memory corruption It was found using the OSS-FUZZ fuzzer infrastructure that decoding a specially crafted X.509 certificate with Proxy Certificate Information extension present could lead to a double free. This issue was fixed in GnuTLS 3.3.26 and 3.5.8. Recommendation: Upgrade to GnuTLS 3.3.26, 3.5.8 or later versions.

GNUTLS-SA-2016-3 CVE-2016-7444 OCSP validation issue Stefan Bühler discovered an issue that affects validation of certificates using OCSP responses, which can falsely report a certificate as valid under certain circumstances. That issue affects gnutls 3.3.24, 3.4.14, 3.5.3 and previous versions. Write-up by Stefan Bühler

Recommendation: Upgrade to GnuTLS versions 3.4.15, 3.5.4 or apply the patch referenced in the mail above.

GNUTLS-SA-2016-2 Certificate verification issue We discoverd a vulnerability that affects certificate verification when GnuTLS is used in combination with the p11-kit trust module. That issue affects gnutls 3.3.23, 3.4.12 and later versions. Who is affected by this vulnerability? GnuTLS installations which are configured to utilize the p11-kit trust store (i.e., when compiled with --with-default-trust-store-pkcs11). How to mitigate the vulnerability? Disable the trust store verification or upgrade to GnuTLS 3.3.24, 3.4.14 and later versions.

GNUTLS-SA-2016-1 CVE-2016-4456 File overwrite by setuid programs Setuid programs using GnuTLS 3.4.12 could potentially allow an attacker to overwrite and corrupt arbitrary files in the filesystem. This issue was introduced in GnuTLS 3.4.12 with the GNUTLS_KEYLOGFILE environment variable handling via getenv() and fixed in GnuTLS 3.4.13 by switching to secure_getenv() where available. Recommendation: Upgrade to GnuTLS 3.4.13, or later versions.

GNUTLS-SA-2015-4 CVE-2015-3308 Double free in CRL distribution points decoding of a certificate Robert Święcki reported that decoding a specially crafted certificate with certain CRL distribution points format can lead to a double free. This issue was fixed in GnuTLS 3.3.14. Recommendation: Upgrade to GnuTLS 3.3.14, or later versions.

GNUTLS-SA-2015-3 CVE-2015-6251 Double free in certificate DN decoding Kurt Roeckx reported that decoding a specific certificate with very long DistinguishedName (DN) entries leads to double free, which may result to a denial of service. Since the DN decoding occurs in almost all applications using certificates it is recommended to upgrade the latest GnuTLS version fixing the issue.

Recommendation: Upgrade to GnuTLS 3.4.4, or 3.3.17.

GNUTLS-SA-2015-2 No CVE assigned ServerKeyExchange signature issue Karthikeyan Bhargavan reported that a ServerKeyExchange signature sent by the server is not verified to be in the acceptable by the client set of algorithms. That has the effect of allowing MD5 signatures (which are disabled by default) in the ServerKeyExchange message. It is not believed that this bug can be exploited because a fraudulent signature has to be generated in real-time which is not known to be possible. However, since attacks can only get better it is recommended to update to a GnuTLS version which addresses the issue.

Recommendation: Upgrade to GnuTLS 3.4.1, or 3.3.15.

GNUTLS-SA-2015-1 CVE-2015-0282 Signature forgery This issue only affects versions of GnuTLS prior to 3.1.0 (released in 2012). These versions don't verify the RSA PKCS #1 signature algorithm to match the signature algorithm in the certificate, leading to a potential downgrade to a disallowed algorithm, such as MD5, without detecting it.

Recommendation: Upgrade to GnuTLS 3.1.0, or later. A patch will be included in gnutls_2_12_x branch for the users of that version that cannot upgrade.

GNUTLS-SA-2014-5 CVE-2014-8564 Denial of service Sean Burford reported that the encoding of elliptic curves parameters GnuTLS 3 is vulnerable to a denial of service (heap corruption). It affects clients and servers which print information about the peer's public key, e.g., the key ID, and can be exploited via a specially crafted X.509 certificate.

Recommendation: Upgrade to GnuTLS 3.3.10, 3.2.20 or 3.1.28.

GNUTLS-SA-2014-4 CVE-2014-3566 Possible plaintext recovery This is a vulnerability on the SSL 3.0 protocol (called POODLE), which can be exploited when TLS clients use a non-standard insecure protocol negotiation (it affects mostly browsers). Clients performing the standard TLS handshake as documented by GnuTLS are not affected.

Write-up by Nikos

Recommendation: For clients using the documented handshake process no action is required. Clients that use the non-standard insecure negotiation should not negotiate SSL 3.0. In all cases it recommended to disable SSL 3.0 using a priority string such as "NORMAL:-VERS-SSL3.0".

GNUTLS-SA-2014-3 CVE-2014-3466 Memory corruption This vulnerability affects the client side of the gnutls library. A server that sends a specially crafted ServerHello could corrupt the memory of a requesting client.

Analysis at radare.today

Recommendation: Upgrade to the latest gnutls version (3.1.25, 3.2.15 or 3.3.4)

GNUTLS-SA-2014-2 CVE-2014-0092 Certificate verification issue A vulnerability was discovered that affects the certificate verification functions of all gnutls versions. A specially crafted certificate could bypass certificate validation checks. The vulnerability was discovered during an audit of GnuTLS for Red Hat. Who is affected by this attack? Anyone using certificate authentication in any version of GnuTLS. How are past sessions affected? The vulnerability to be exploited it requires an active man-in-the-middle attacker. Past sessions are not affected unless they were under such an attack. How to mitigate the attack? Upgrade to the latest GnuTLS version (3.2.12 or 3.1.22), or apply the patch for GnuTLS 2.12.x.

GNUTLS-SA-2014-1 CVE-2014-1959 Certificate verification issue Suman Jana reported a vulnerability that affects the certificate verification functions of gnutls 2.11.5 and later versions. A version 1 intermediate certificate will be considered as a CA certificate by default (something that deviates from the documented behavior). Who is affected by this attack? Anyone who has a CA that issues X.509 version 1 certificates in his trusted list. How to mitigate the attack? Apply this patch or upgrade to the latest GnuTLS version (3.2.11 or 3.1.21).

GNUTLS-SA-2013-3 CVE-2013-4466 Denial of service This vulnerability affects the DANE library of gnutls 3.1.x and gnutls 3.2.x. A server that returns more 4 DANE entries could corrupt the memory of a requesting client.

Recommendation: Upgrade to the latest gnutls version (3.1.16 or 3.2.6)

GNUTLS-SA-2013-2 CVE-2013-2116 Denial of service This vulnerability affects gnutls 2.12.23 and its TLS record decoding.

Recommendation: Apply the patch or upgrade to gnutls 3.x.

GNUTLS-SA-2013-1 TLS CBC padding timing attack

CVE-2013-1619 Possible plaintext recovery Nadhem Alfardan and Kenny Paterson devised an attack that recovers some bits of the plaintext of a GnuTLS session that utilizes that CBC ciphersuites, by using timing information. In order for the attack to work the client must operate as follows. It connects to a server, it sends some (encrypted) data that will be intercepted by the attacker, who will terminate the client's connection abnormally (i.e. the client will receive a premature termination error). The client should repeat that, multiple times. Who is affected by this attack? Clients that repeatedly reconnect and transfer the same data, after a TLS fatal error occurs. How to mitigate the attack? Do not enable the CBC ciphersuites, prefer ARCFOUR or GCM modes.

Upgrade to the latest GnuTLS version (3.1.7, 3.0.28, or 2.12.23). Write-up by Nikos



GNUTLS-SA-2012-4 "CRIME" attack

CVE-2012-4929 Possible plaintext recovery There is an attack on TLS called "CRIME" which takes advantage of compression and may recover plaintext under certain circumstances. Who is affected by this attack? Clients or servers that use compression and provide the ability to an adversary to inject data (multiple times) in their session. How to mitigate the attack? Do not enable compression (GnuTLS doesn't enable it by default)

When using compression use the CBC ciphers that include a random padding up to 255 bytes. That would increase the number of trials an attacker needs to perform significantly. Note that using compression provides information to an attacker on the plaintext.

Security advisory

A description of the attack

Another analysis of the attack



GNUTLS-SA-2012-3 CVE-2012-1569 Denial of service This vulnerability is in the libtasn1 library and affects the DER length decoding which is fixed in 2.12 release.

Write-up by Mu Dynamics

Recommendation: Upgrade to libtasn1 2.12.

GNUTLS-SA-2012-2 CVE-2012-1573 Possible buffer overflow/Denial of service TLS record handling vulnerability fixed in GnuTLS 3.0.15.

Write-up by Mu Dynamics

Recommendation: Upgrade to GnuTLS 3.0.17 or 2.12.18.

GNUTLS-SA-2012-1 CVE-2012-0390 Timing attack (DTLS) Announcement of GnuTLS 3.0.11

The paper describing the attack

This vulnerability allows an attacker to perform partial plaintext recovery using a timing attack in CBC-mode encryption. The attack is applicable to Datagram TLS (DTLS).

Recommendation: Upgrade to GnuTLS 3.0.11.

GNUTLS-SA-2011-2 CVE-2011-4128 Possible buffer overflow/Denial of service Mailing list discussion

Note that this vulnerability is triggered by TLS clients that utilize the session resumption functions in a particular way. Clients that perform session resumption using the same steps as in the example code of GnuTLS documentation are not vulnerable. A preliminary analysis found no vulnerable clients. Recommendation: Upgrade to GnuTLS 3.0.7 or 2.12.14.

GNUTLS-SA-2011-1 Rizzo attack on TLS Plaintext recovery Mailing list discussion

Recommendation: Make use of TLS 1.1 or TLS 1.2 protocols that are not vulnerable to the attack. TLS 1.1 is enabled by default in GnuTLS since version 2.0.0 (released in 2007). If this is not possible, disable CBC ciphers.

GNUTLS-SA-2010-1 CVE-2010-0731 Remote Denial of Service RedHat bugzilla report

Mailing list discussion This vulnerability is on a deprecated since 2006 version of GnuTLS. We keep the information here because this version was included in some distributions. Recommendation: Upgrade to the latest stable branch.

GNUTLS-SA-2009-5 CERT VU#120541

CVE-2009-3555 Plaintext injection attack Mailing list discussion Recommendation: Disable support for TLS renegotiation in application servers, or better upgrade to GnuTLS 2.10.x.

GNUTLS-SA-2006-2 CVE-2006-7239 Denial of service? Details

Recommendation: Upgrade to GnuTLS 1.4.2.