Amazon Linux AMI update for gnutls

Published: 2017-04-07

Risk	Low
Patch available	YES
Number of vulnerabilities	4
CVE-ID	CVE-2017-5335 CVE-2017-5336 CVE-2017-5337 CVE-2016-8610
CWE-ID	CWE-119 CWE-121 CWE-122 CWE-388
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Amazon Linux AMI Operating systems & Components / Operating system
Vendor	Amazon Web Services

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Memory corruption

EUVDB-ID: #VU7657

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-5335

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists due to insufficient error checking in the stream-reading functions. A remote attacker can send a specially crafted OpenPGP certificate, trigger memory corruption and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Mitigation

Update the affected packages.

i686:
    gnutls-2.12.23-21.18.amzn1.i686
    gnutls-devel-2.12.23-21.18.amzn1.i686
    gnutls-guile-2.12.23-21.18.amzn1.i686
    gnutls-utils-2.12.23-21.18.amzn1.i686
    gnutls-debuginfo-2.12.23-21.18.amzn1.i686

src:
    gnutls-2.12.23-21.18.amzn1.src

x86_64:
    gnutls-guile-2.12.23-21.18.amzn1.x86_64
    gnutls-debuginfo-2.12.23-21.18.amzn1.x86_64
    gnutls-devel-2.12.23-21.18.amzn1.x86_64
    gnutls-utils-2.12.23-21.18.amzn1.x86_64
    gnutls-2.12.23-21.18.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2017-815.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Stack-based buffer overflow

EUVDB-ID: #VU7658

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-5336

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists due to improper processing of malicious OpenPGP certificates by the cdk_pk_get_keyid function. A remote attacker can send a specially crafted OpenPGP certificate, trigger stack-based buffer overflow and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Mitigation

Update the affected packages.

i686:
    gnutls-2.12.23-21.18.amzn1.i686
    gnutls-devel-2.12.23-21.18.amzn1.i686
    gnutls-guile-2.12.23-21.18.amzn1.i686
    gnutls-utils-2.12.23-21.18.amzn1.i686
    gnutls-debuginfo-2.12.23-21.18.amzn1.i686

src:
    gnutls-2.12.23-21.18.amzn1.src

x86_64:
    gnutls-guile-2.12.23-21.18.amzn1.x86_64
    gnutls-debuginfo-2.12.23-21.18.amzn1.x86_64
    gnutls-devel-2.12.23-21.18.amzn1.x86_64
    gnutls-utils-2.12.23-21.18.amzn1.x86_64
    gnutls-2.12.23-21.18.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2017-815.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Heap-based buffer overflow

EUVDB-ID: #VU7660

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-5337

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists due to improper processing of malicious OpenPGP certificates by the read_attribute function. A remote attacker can send a specially crafted OpenPGP certificate, trigger heap-based buffer overflow and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Mitigation

Update the affected packages.

i686:
    gnutls-2.12.23-21.18.amzn1.i686
    gnutls-devel-2.12.23-21.18.amzn1.i686
    gnutls-guile-2.12.23-21.18.amzn1.i686
    gnutls-utils-2.12.23-21.18.amzn1.i686
    gnutls-debuginfo-2.12.23-21.18.amzn1.i686

src:
    gnutls-2.12.23-21.18.amzn1.src

x86_64:
    gnutls-guile-2.12.23-21.18.amzn1.x86_64
    gnutls-debuginfo-2.12.23-21.18.amzn1.x86_64
    gnutls-devel-2.12.23-21.18.amzn1.x86_64
    gnutls-utils-2.12.23-21.18.amzn1.x86_64
    gnutls-2.12.23-21.18.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2017-815.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Denial of service

EUVDB-ID: #VU1083

Risk: Low

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2016-8610

CWE-ID: CWE-388 - Error Handling

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated user to exhaust memory on the target system.
The weakness is due to improper handling of certain packets by the ssl3_read_bytes() function in 'ssl/s3_pkt.c.
By sending a flood of SSL3_AL_WARNING alerts during the SSL handshake, a remote attacker can consume excessive CPU resources that may lead to OpenSSL library being unavailable.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.

Mitigation

Update the affected packages.

i686:
    gnutls-2.12.23-21.18.amzn1.i686
    gnutls-devel-2.12.23-21.18.amzn1.i686
    gnutls-guile-2.12.23-21.18.amzn1.i686
    gnutls-utils-2.12.23-21.18.amzn1.i686
    gnutls-debuginfo-2.12.23-21.18.amzn1.i686

src:
    gnutls-2.12.23-21.18.amzn1.src

x86_64:
    gnutls-guile-2.12.23-21.18.amzn1.x86_64
    gnutls-debuginfo-2.12.23-21.18.amzn1.x86_64
    gnutls-devel-2.12.23-21.18.amzn1.x86_64
    gnutls-utils-2.12.23-21.18.amzn1.x86_64
    gnutls-2.12.23-21.18.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2017-815.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.