PT-2020-2140 · Gnu+5 · Gnutls+5

Published

2020-03-27

·

Updated

2022-07-13

·

CVE-2020-11501

CVSS v2.0

9.4

High

VectorAV:N/AC:L/Au:N/C:C/I:C/A:N
Name of the Vulnerable Software and Affected Versions GnuTLS versions 3.6.3 through 3.6.12
Description The issue is related to the send client hello function in the GnuTLS cryptographic library, which has shortcomings in the used cryptographic algorithms. This can allow a remote attacker to gain unauthorized access to confidential data or impact data integrity. The problem arises because the DTLS client always uses 32 '0' bytes instead of a random value, contributing no randomness to a DTLS negotiation, thus breaking the security guarantees of the DTLS protocol.
Recommendations For GnuTLS versions 3.6.3 through 3.6.12, update to version 3.6.13 or later to resolve the issue. As a temporary workaround, consider restricting the use of the DTLS protocol until a patch is available. Avoid using the DTLS client with the affected versions of GnuTLS to minimize the risk of exploitation.

Fix

Use of Insufficiently Random Values

Use of a Broken Cryptographic Algorithm

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-330CWE-327

Related Identifiers

ALT-PU-2020-1648
ALT-PU-2020-1661
BDU:2020-02038
CESA-2020_1998
CVE-2020-11501
DSA-4652-1
MGASA-2020-0168
OPENSUSE-SU-2020:0501-1
OPENSUSE-SU-2020_0501-1
RHSA-2020:1998
RHSA-2020_1998
SUSE-SU-2020:0948-1
SUSE-SU-2020:0948-2
SUSE-SU-2020_0948-1
SUSE-SU-2020_0948-2
USN-4322-1

Affected Products

Alt Linux
Centos
Gnutls
Red Hat
Suse
Ubuntu