Advisories

TagOther identifiersSeverityInformation
GNUTLS-SA-2014-5
CVE-2014-8564 Denial of service Sean Burford reported that the encoding of elliptic curves parameters GnuTLS 3 is vulnerable to a denial of service (heap corruption). It affects clients and servers which print information about the peer's public key, e.g., the key ID, and can be exploited via a specially crafted X.509 certificate.
Recommendation: Upgrade to GnuTLS 3.3.10, 3.2.20 or 3.1.28.
GNUTLS-SA-2014-4
CVE-2014-3566 Possible plaintext recovery This is a vulnerability on the SSL 3.0 protocol (called POODLE), which can be exploited when TLS clients use a non-standard insecure protocol negotiation (it affects mostly browsers). Clients performing the standard TLS handshake as documented by GnuTLS are not affected.
Write-up by Nikos
Recommendation: For clients using the documented handshake process no action is required. Clients that use the non-standard insecure negotiation should not negotiate SSL 3.0. In all cases it recommended to disable SSL 3.0 using a priority string such as "NORMAL:-VERS-SSL3.0".
GNUTLS-SA-2014-3
CVE-2014-3466 Memory corruption This vulnerability affects the client side of the gnutls library. A server that sends a specially crafted ServerHello could corrupt the memory of a requesting client.
Analysis at radare.today
Recommendation: Upgrade to the latest gnutls version (3.1.25, 3.2.15 or 3.3.4)
GNUTLS-SA-2014-2
CVE-2014-0092 Certificate verification issue

A vulnerability was discovered that affects the certificate verification functions of all gnutls versions. A specially crafted certificate could bypass certificate validation checks. The vulnerability was discovered during an audit of GnuTLS for Red Hat.

Who is affected by this attack?

  • Anyone using certificate authentication in any version of GnuTLS.

How are past sessions affected?

  • The vulnerability to be exploited it requires an active man-in-the-middle attacker. Past sessions are not affected unless they were under such an attack.

How to mitigate the attack?

  • Upgrade to the latest GnuTLS version (3.2.12 or 3.1.22), or apply the patch for GnuTLS 2.12.x.

GNUTLS-SA-2014-1
CVE-2014-1959 Certificate verification issue

Suman Jana reported a vulnerability that affects the certificate verification functions of gnutls 2.11.5 and later versions. A version 1 intermediate certificate will be considered as a CA certificate by default (something that deviates from the documented behavior).

Who is affected by this attack?

  • Anyone who has a CA that issues X.509 version 1 certificates in his trusted list.

How to mitigate the attack?

  • Apply this patch or upgrade to the latest GnuTLS version (3.2.11 or 3.1.21).

GNUTLS-SA-2013-3
CVE-2013-4466 Denial of service This vulnerability affects the DANE library of gnutls 3.1.x and gnutls 3.2.x. A server that returns more 4 DANE entries could corrupt the memory of a requesting client.
Recommendation: Upgrade to the latest gnutls version (3.1.16 or 3.2.6)
GNUTLS-SA-2013-2
CVE-2013-2116 Denial of service This vulnerability affects gnutls 2.12.23 and its TLS record decoding.
Recommendation: Apply the patch or upgrade to gnutls 3.x.
GNUTLS-SA-2013-1
TLS CBC padding timing attack
CVE-2013-1619
Possible plaintext recovery

Nadhem Alfardan and Kenny Paterson devised an attack that recovers some bits of the plaintext of a GnuTLS session that utilizes that CBC ciphersuites, by using timing information.

In order for the attack to work the client must operate as follows. It connects to a server, it sends some (encrypted) data that will be intercepted by the attacker, who will terminate the client's connection abnormally (i.e. the client will receive a premature termination error). The client should repeat that, multiple times.

Who is affected by this attack?

  • Clients that repeatedly reconnect and transfer the same data, after a TLS fatal error occurs.

How to mitigate the attack?

  • Do not enable the CBC ciphersuites, prefer ARCFOUR or GCM modes.
  • Upgrade to the latest GnuTLS version (3.1.7, 3.0.28, or 2.12.23).
Write-up by Nikos

GNUTLS-SA-2012-4
"CRIME" attack
CVE-2012-4929
Possible plaintext recovery

There is an attack on TLS called "CRIME" which takes advantage of compression and may recover plaintext under certain circumstances.

Who is affected by this attack?

  • Clients or servers that use compression and provide the ability to an adversary to inject data (multiple times) in their session.

How to mitigate the attack?

  • Do not enable compression (GnuTLS doesn't enable it by default)
  • When using compression use the CBC ciphers that include a random padding up to 255 bytes. That would increase the number of trials an attacker needs to perform significantly.

Note that using compression provides information to an attacker on the plaintext.
Security advisory
A description of the attack
Another analysis of the attack
GNUTLS-SA-2012-3
CVE-2012-1569 Denial of service This vulnerability is in the libtasn1 library and affects the DER length decoding which is fixed in 2.12 release.
Write-up by Mu Dynamics
Recommendation: Upgrade to libtasn1 2.12.
GNUTLS-SA-2012-2
CVE-2012-1573 Possible buffer overflow/Denial of service TLS record handling vulnerability fixed in GnuTLS 3.0.15.
Write-up by Mu Dynamics
Recommendation: Upgrade to GnuTLS 3.0.17 or 2.12.18.
GNUTLS-SA-2012-1
CVE-2012-0390 Timing attack (DTLS) Announcement of GnuTLS 3.0.11
The paper describing the attack
This vulnerability allows an attacker to perform partial plaintext recovery using a timing attack in CBC-mode encryption. The attack is applicable to Datagram TLS (DTLS).
Recommendation: Upgrade to GnuTLS 3.0.11.
GNUTLS-SA-2011-2
CVE-2011-4128 Possible buffer overflow/Denial of service Mailing list discussion
Note that this vulnerability is triggered by TLS clients that utilize the session resumption functions in a particular way. Clients that perform session resumption using the same steps as in the example code of GnuTLS documentation are not vulnerable. A preliminary analysis found no vulnerable clients. Recommendation: Upgrade to GnuTLS 3.0.7 or 2.12.14.
GNUTLS-SA-2011-1
Rizzo attack on TLS Plaintext recovery Mailing list discussion
Recommendation: Make use of TLS 1.1 or TLS 1.2 protocols that are not vulnerable to the attack. TLS 1.1 is enabled by default in GnuTLS since version 2.0.0 (released in 2007). If this is not possible, disable CBC ciphers.
GNUTLS-SA-2010-1
CVE-2010-0731 Remote Denial of Service RedHat bugzilla report
Mailing list discussion

This vulnerability is on a deprecated since 2006 version of GnuTLS. We keep the information here because this version was included in some distributions. Recommendation: Upgrade to the latest stable branch.

GNUTLS-SA-2009-5
CERT VU#120541
CVE-2009-3555
Plaintext injection attack Mailing list discussion

Recommendation: Disable support for TLS renegotiation in application servers, or better upgrade to GnuTLS 2.10.x.

GNUTLS-SA-2009-4
CVE-2009-2730 False positive in certificate hostname validation Announcement of v2.8.3 that solves the problem.
Analysis of the vulnerability and minimal patch.
How to check if your GnuTLS library is vulnerable.
Back-ported patches for earlier releases: [1] [2]
Recommendation: Upgrade to GnuTLS 2.8.3 or later.
GNUTLS-SA-2009-3
CVE-2009-1417 No checking of certificate activation/expiration times Security advisory including patch
Announcement of v2.6.6 that includes patch.
Recommendation: Upgrade to GnuTLS 2.6.6 or later. If you still use the 2.4.x branch or earlier branches, apply the patch.
GNUTLS-SA-2009-2
CVE-2009-1416 GnuTLS 2.6.x DSA keys are corrupt Security advisory including patch
Announcement of v2.6.6 that includes patch.
Recommendation: If you are using GnuTLS 2.6.x, upgrade to GnuTLS 2.6.6.
GNUTLS-SA-2009-1
CVE-2009-1415 Double/invalid free in GnuTLS 2.6.x on certain errors Security advisory including patch
Announcement of v2.6.6 that includes patch.
Recommendation: If you are using GnuTLS 2.6.x, upgrade to GnuTLS 2.6.6.
GNUTLS-SA-2008-3
CVE-2008-4989 Remote X.509 Trust Chain Validation error Announcement of v2.6.1 and patch
Detailed analysis
Announcement of v2.6.2 and updated patch.
Announcement of updated patch and 2.6.3 release candidate.
Announcement of v2.6.3.
Announcement of v2.6.4 and v2.4.3.
Recommendation: Upgrade to GnuTLS 2.6.4 or, if you still use the 2.4.x branch, 2.4.3, or later.
GNUTLS-SA-2008-2
CVE-2008-2377 Local denial of service
Server can trigger crash in GnuTLS clients?
Announcement
Detailed analysis and patch
Another report that suggest it can be exploited by hostile servers
Recommendation: Upgrade to GnuTLS 2.4.1 or apply the patch.
GNUTLS-SA-2008-1
CERT-FI announcement
CVE-2008-1948, CVE-2008-1949, CVE-2008-1950
Remote Denial of Service Announcement and Patch
Updated announcement and Patch
Recommendation: Upgrade to GnuTLS 2.2.5 or apply the patch in the second link.
GNUTLS-SA-2006-4
CVE-2006-4790
(via NVD)
False positive in verifying signature Announcement
Updated patch
Original report
Recommendation: Upgrade to GnuTLS 1.4.4.
GNUTLS-SA-2006-3
None Announcement
Bleichenbacher's Crypto 98 paper
Recommendation: No action required, see the post where this advisory is essentially withdrawn.
GNUTLS-SA-2006-2
CVE-2006-7239 Denial of service? Details
Recommendation: Upgrade to GnuTLS 1.4.2.
GNUTLS-SA-2006-1
CVE-2006-0645 Denial of service? Libtasn1 Announcement
Recommendation: Upgrade to Libtasn1 0.2.18 and GnuTLS 1.2.10 (stable) or 1.3.4 (experimental).
GNUTLS-SA-2005-1
CVE-2005-1431 Denial of service Announcement
Write-up by Éric Leblond
Recommendation: Upgrade to GnuTLS 1.0.25 or 1.2.3.