Main Vulnerability Database Vulnerabilities #VU26487

#VU26487 Use of insufficiently random values in GnuTLS - CVE-2020-11501

Published: March 31, 2020 / Updated: April 4, 2020

Vulnerability identifier: #VU26487

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2020-11501

CWE-ID: CWE-330

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
GnuTLS

Software vendor:
GnuTLS

Description

The vulnerability allows a remote attacker to decrypt data.

The vulnerability exists in GnuTLS DTLS protocol implementation due to an error in code that caused DTLS client not to contribute any randomness to the DTLS negotiation. As a result a remote attacker with ability to intercept network traffic can decrypt data passed via TLS 1.3 connection and gain access to sensitive information.

Remediation

Install updates from vendor's website.

External links

https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-03-31

#VU26487 Use of insufficiently random values in GnuTLS - CVE-2020-11501

Description

Remediation

External links

Please verify you're human