Vulnerability identifier: #VU44203
Vulnerability risk: Medium
CVSSv3.1: 6.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-399
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
GnuTLS
Universal components / Libraries /
Libraries used by multiple products
Vendor: GnuTLS
Description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Double free vulnerability in libgnutls in GnuTLS before 3.0.14 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted certificate list.
Mitigation
Install update from vendor's website.
Vulnerable software versions
GnuTLS: 1.0.16 - 3.0.12
External links
http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5866
http://www.exploit-db.com/exploits/24865
http://exchange.xforce.ibmcloud.com/vulnerabilities/74099
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.