#VU32575 Cryptographic issues in GnuTLS - CVE-2014-0092

Cybersecurity Help s.r.o.

Published: 2014-03-07 | Updated: 2020-07-28

Vulnerability identifier: #VU32575

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2014-0092

CWE-ID: CWE-310

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
GnuTLS
Universal components / Libraries / Libraries used by multiple products

Vendor: GnuTLS

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

Mitigation
Install update from vendor's website.

Vulnerable software versions

GnuTLS: 3.1.0 - 3.1.21

External links
https://gnutls.org/security.html#GNUTLS-SA-2014-2
https://lists.opensuse.org/opensuse-security-announce/2014-03/msg00000.html
https://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html
https://lists.opensuse.org/opensuse-security-announce/2014-03/msg00002.html
https://lists.opensuse.org/opensuse-security-announce/2014-03/msg00003.html
https://lists.opensuse.org/opensuse-security-announce/2014-03/msg00004.html
https://lists.opensuse.org/opensuse-security-announce/2014-03/msg00005.html
https://lists.opensuse.org/opensuse-security-announce/2014-03/msg00006.html
https://lists.opensuse.org/opensuse-security-announce/2014-03/msg00007.html
https://lists.opensuse.org/opensuse-security-announce/2014-03/msg00009.html
https://lists.opensuse.org/opensuse-security-announce/2014-03/msg00020.html
https://rhn.redhat.com/errata/RHSA-2014-0246.html
https://rhn.redhat.com/errata/RHSA-2014-0247.html
https://rhn.redhat.com/errata/RHSA-2014-0288.html
https://rhn.redhat.com/errata/RHSA-2014-0339.html
https://secunia.com/advisories/56933
https://secunia.com/advisories/57103
https://secunia.com/advisories/57204
https://secunia.com/advisories/57254
https://secunia.com/advisories/57260
https://secunia.com/advisories/57274
https://secunia.com/advisories/57321
https://www.debian.org/security/2014/dsa-2869
https://www.securityfocus.com/bid/65919
https://www.ubuntu.com/usn/USN-2127-1
https://bugzilla.redhat.com/show_bug.cgi?id=1069865

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for GnuTLS

Cryptographic issues in IBM TS3000

Cryptographic issues in GnuTLS

Amazon Linux AMI update for gnutls

Cryptographic issues in gnutls (Alpine package)

Slackware Linux update for gnutls

SUSE Linux update for gnutls