SB2020060979 - Man-in-the-Middle (MitM) attack in gnutls (Alpine package)
Published: June 9, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Man-in-the-Middle (MitM) attack (CVE-ID: CVE-2020-13777)
CWE-ID: CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
The vulnerability allows a remote attacker to perform Man-in-the-Middle (MitM) attack.
The vulnerability exists due to regression, introduced into the TLS protocol implementation that caused the TLS server to not securely construct a session ticket encryption key considering the application supplied secret. A remote attacker can bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=8eda5a89647412e22290f72b76ba3b3d09c5f03a
- https://git.alpinelinux.org/aports/commit/?id=01b34eb306a6e0a3ce306d4ed7b604064ea6da7b
- https://git.alpinelinux.org/aports/commit/?id=565cd4a00c5d66310eaae4df09f4578feaaba004
- https://git.alpinelinux.org/aports/commit/?id=3fb686ea66d1367fe5f9c189c4277ed86299ee89
- https://git.alpinelinux.org/aports/commit/?id=001e8c2217317bd8dc53c360e2a1067d338cdb09
- https://git.alpinelinux.org/aports/commit/?id=9b3acf4771f5aca10335e0374abc9b66661e8c9c
- https://git.alpinelinux.org/aports/commit/?id=7eb9ebd56a745bcffb9e8e6539914a04dbc75a32
- https://git.alpinelinux.org/aports/commit/?id=a3d783e23decbf703f3677c76f0f4b48bb598da8
- https://git.alpinelinux.org/aports/commit/?id=271cc04541887a5e075721bba033b0c7dc5eda8c