SUSE update for glib-networking

1) Improper validation of certificate with host mismatch

EUVDB-ID: #VU29491

Risk: Medium

CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-13645

CWE-ID: CWE-297 - Improper Validation of Certificate with Host Mismatch

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists in GNOME glib-networking due to implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. A remote attacker can perform a Man-in-he-Middle (MitM) attack and gain access to sensitive information.

Mitigation

Update the affected package glib-networking to the latest version.

Vulnerable software versions

SUSE MicroOS: 5.0 - 5.1

SUSE Linux Enterprise Module for Basesystem: 15-SP2 - 15-SP3

glib-networking-lang: before 2.62.4-3.3.1

glib-networking-debugsource: before 2.62.4-3.3.1

glib-networking-debuginfo: before 2.62.4-3.3.1

glib-networking: before 2.62.4-3.3.1

CPE2.3

• cpe:2.3:o:suse:suse_microos:5.1:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_microos:5.0:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_module_for_basesystem:15-SP3:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_module_for_basesystem:15-SP2:*:*:*:*:*:*:

External links

http://www.suse.com/support/update/announcement/2021/suse-su-20213944-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.