PT-2024-2444 · Gnutls+8 · Gnutls+8

William Woodruff

+1

·

Published

2024-03-20

·

Updated

2025-02-03

·

CVE-2024-28835

CVSS v3.1

5.0

Medium

VectorAV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions GnuTLS versions prior to 3.8.3
Description A flaw in the GnuTLS library is related to shortcomings in handling exceptional states when analyzing the cert list size parameter in the gnutls x509 trust list verify crt2() function. This issue can be exploited by an attacker to cause a denial of service by passing a specially crafted certificate chain in PEM encoding to certtool. The vulnerability can also be triggered when verifying a specially crafted .pem bundle using the "certtool --verify-chain" command, potentially leading to an application crash. Remote attacks are possible, but no exploit has been reported yet.
Recommendations For GnuTLS versions prior to 3.8.3, update GnuTLS immediately to prevent potential remote attacks. As a temporary workaround, consider restricting the use of the certtool --verify-chain command until a patch is applied. Avoid using the certtool command with untrusted .pem bundles to minimize the risk of exploitation.

Fix

Weakness Enumeration

CWE-248

Related Identifiers

ALSA-2024:1879
ALSA-2024:2570
ALT-PU-2024-4634
ALT-PU-2024-4754
ALT-PU-2024-4913
ALT-PU-2024-4977
ALT-PU-2024-6430
AZL-37085
AZL-37108
BDU:2024-02399
CVE-2024-28835
DLA-3875-1
INFSA-2024_2570
MGASA-2024-0089
OESA-2024-1470
OESA-2024-1506
OESA-2024-1507
OESA-2024-1508
OESA-2024-2263
OESA-2024-2264
OPENSUSE-SU-2024:13806-1
OPENSUSE-SU-2024_1271-1
RHSA-2024:1879
RHSA-2024:2570
RHSA-2024:2889
RHSA-2024_1879
RHSA-2024_2570
RLSA-2024:2570
SUSE-SU-2024:1271-1
SUSE-SU-2024:1271-2
SUSE-SU-2024:1271-3
SUSE-SU-2024:2546-1
SUSE-SU-2025:20017-1
USN-6733-1
USN-6733-2

Affected Products

Alt Linux
Almalinux
Astra Linux
Gnutls
Linuxmint
Red Hat
Rocky Linux
Suse
Ubuntu