Input validation error in GnuTLS

#VU32426 Input validation error in GnuTLS

Published: 2015-09-02 | Updated: 2020-07-28

Vulnerability identifier: #VU32426

Vulnerability risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-3308

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
GnuTLS
Universal components / Libraries / Libraries used by multiple products

Vendor: GnuTLS

Description

The vulnerability allows remote attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service or possibly have unspecified other impact via a crafted CRL distribution point.

Mitigation
Update to version 3.3.14.

Vulnerable software versions

GnuTLS: 3.3.0 - 3.3.13

External links
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155101.html
http://www.gnutls.org/security.html#GNUTLS-SA-2015-4
http://www.openwall.com/lists/oss-security/2015/04/15/6
http://www.openwall.com/lists/oss-security/2015/04/16/6
http://www.securityfocus.com/bid/74188
http://www.securitytracker.com/id/1033774
http://www.ubuntu.com/usn/USN-2727-1
http://gitlab.com/gnutls/gnutls/commit/053ae65403216acdb0a4e78b25ad66ee9f444f02
http://gitlab.com/gnutls/gnutls/commit/d6972be33264ecc49a86cd0958209cd7363af1e9
http://security.gentoo.org/glsa/201506-03

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Input validation error in GnuTLS

Gentoo update for GnuTLS

Input validation error in gnutls (Alpine package)