Use of insufficiently random values in gnutls (Alpine package)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-11501 |
| CWE-ID | CWE-330 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
gnutls (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Use of insufficiently random values
EUVDB-ID: #VU26487
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-11501
CWE-ID:
CWE-330 - Use of Insufficiently Random Values
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to decrypt data.
The vulnerability exists in GnuTLS DTLS protocol implementation due to an error in code that caused DTLS client not to contribute any randomness to the DTLS negotiation. As a result a remote attacker with ability to intercept network traffic can decrypt data passed via TLS 1.3 connection and gain access to sensitive information.
Install update from vendor's website.
Vulnerable software versionsgnutls (Alpine package): 3.6.6-r0 - 3.6.12-r0
External linkshttp://git.alpinelinux.org/aports/commit/?id=3fb686ea66d1367fe5f9c189c4277ed86299ee89
http://git.alpinelinux.org/aports/commit/?id=001e8c2217317bd8dc53c360e2a1067d338cdb09
http://git.alpinelinux.org/aports/commit/?id=9b3acf4771f5aca10335e0374abc9b66661e8c9c
http://git.alpinelinux.org/aports/commit/?id=7eb9ebd56a745bcffb9e8e6539914a04dbc75a32
http://git.alpinelinux.org/aports/commit/?id=a3d783e23decbf703f3677c76f0f4b48bb598da8
http://git.alpinelinux.org/aports/commit/?id=271cc04541887a5e075721bba033b0c7dc5eda8c
http://git.alpinelinux.org/aports/commit/?id=184bdcdae88dadac240902be8a85c234a429d36c
http://git.alpinelinux.org/aports/commit/?id=dbcc36c66155b96dcc492f442827bf7d7e70ff4c
http://git.alpinelinux.org/aports/commit/?id=867f20fe0c02ed03827ae4034b70b82e0779759b
http://git.alpinelinux.org/aports/commit/?id=8cf8b1ca80440667bb00d77c8fdb879231748e74
http://git.alpinelinux.org/aports/commit/?id=8d1333f083ad221103d350e18192f5b9f02d5fae
http://git.alpinelinux.org/aports/commit/?id=76044ac91c53d083aafd7f87c0ec5464f5889409
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
