Input validation error in GnuTLS and libtASN1 - CVE-2012-1569

 

Input validation error in GnuTLS and libtASN1 - CVE-2012-1569

Published: March 26, 2012 / Updated: August 11, 2020


Vulnerability identifier: #VU44184
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2012-1569
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: GnuTLS
GNU
Affected software:
GnuTLS
libtASN1

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as used in GnuTLS before 3.0.16 and other products, does not properly handle certain large length values, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly have unspecified other impact via a crafted ASN.1 structure.


How to mitigate CVE-2012-1569

Install update from vendor's website.

Sources