CVE-2008-4989

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN).

References

http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215

http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3217

http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html

http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.html

http://secunia.com/advisories/32619

http://secunia.com/advisories/32681

http://secunia.com/advisories/32687

http://secunia.com/advisories/32879

http://secunia.com/advisories/33501

http://secunia.com/advisories/33694

http://secunia.com/advisories/35423

http://security.gentoo.org/glsa/glsa-200901-10.xml

http://sunsolve.sun.com/search/document.do?assetkey=1-26-260528-1

http://wiki.rpath.com/Advisories:rPSA-2008-0322

http://www.debian.org/security/2009/dsa-1719

http://www.gnu.org/software/gnutls/security.html

http://www.mandriva.com/security/advisories?name=MDVSA-2008:227

http://www.redhat.com/support/errata/RHSA-2008-0982.html

http://www.securityfocus.com/archive/1/498431/100/0/threaded

http://www.securityfocus.com/bid/32232

http://www.securitytracker.com/id?1021167

http://www.ubuntu.com/usn/usn-678-2

http://www.vupen.com/english/advisories/2008/3086

http://www.vupen.com/english/advisories/2009/1567

https://exchange.xforce.ibmcloud.com/vulnerabilities/46482

https://issues.rpath.com/browse/RPL-2886

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11650

https://usn.ubuntu.com/678-1/

https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00222.html

https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00293.html

Details

Source: MITRE

Published: 2008-11-13

Updated: 2018-10-11

Type: CWE-255

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:gnu:gnutls:1.0.16:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.0.17:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.0.18:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.0.19:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.0.20:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.0.21:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.0.22:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.0.23:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.0.24:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.0.25:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.1.13:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.1.14:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.1.15:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.1.16:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.1.17:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.1.18:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.1.19:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.1.20:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.1.21:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.1.22:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.1.23:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.2.0:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.2.1:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.2.2:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.2.3:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.2.4:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.2.5:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.2.6:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.2.7:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.2.8:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.2.8.1a1:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.2.9:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.2.10:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.2.11:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.3.1:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.3.2:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.3.3:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.3.4:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.3.5:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.4.1:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.4.2:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.4.3:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.4.4:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.4.5:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.5.0:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.5.1:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.5.2:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.5.3:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.5.4:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.5.5:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.6.0:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.6.1:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.6.2:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.6.3:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.7.0:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.7.1:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.7.2:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.7.3:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.7.4:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.7.5:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.7.6:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.7.7:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.7.8:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.7.9:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.7.10:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.7.11:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.7.12:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.7.13:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.7.14:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.7.15:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.7.16:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.7.17:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.7.18:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:1.7.19:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.0.0:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.0.1:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.0.2:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.0.3:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.0.4:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.1.0:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.1.1:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.1.2:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.1.3:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.1.4:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.1.5:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.1.6:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.1.7:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.1.8:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.2.0:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.2.1:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.2.2:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.2.3:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.2.4:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.2.5:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.3.0:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.3.1:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.3.2:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.3.3:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.3.4:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.3.5:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.3.6:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.3.7:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.3.8:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.3.9:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.3.10:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.3.11:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.4.0:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.4.1:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:2.4.2:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:*:*:*:*:*:*:*:* versions up to 2.6.0 (inclusive)

Tenable Plugins

View all (34 total)

IDNameProductFamilySeverity
107902Solaris 10 (x86) : 123939-05NessusSolaris Local Security Checks
medium
107901Solaris 10 (x86) : 123939-04NessusSolaris Local Security Checks
medium
107900Solaris 10 (x86) : 123939-03NessusSolaris Local Security Checks
medium
107899Solaris 10 (x86) : 123939-02NessusSolaris Local Security Checks
medium
107399Solaris 10 (sparc) : 123938-05NessusSolaris Local Security Checks
medium
107398Solaris 10 (sparc) : 123938-04NessusSolaris Local Security Checks
medium
107397Solaris 10 (sparc) : 123938-03NessusSolaris Local Security Checks
medium
107396Solaris 10 (sparc) : 123938-02NessusSolaris Local Security Checks
medium
67768Oracle Linux 5 : gnutls (ELSA-2008-0982)NessusOracle Linux Local Security Checks
medium
62276Fedora 10 : gnutls-2.4.2-3.fc10 (2008-10162)NessusFedora Local Security Checks
medium
60492Scientific Linux Security Update : gnutls on SL5.x i386/x86_64NessusScientific Linux Local Security Checks
medium
43716CentOS 5 : gnutls (CESA-2008:0982)NessusCentOS Local Security Checks
medium
41516SuSE 10 Security Update : GnuTLS (ZYPP Patch Number 6073)NessusSuSE Local Security Checks
medium
41515SuSE 10 Security Update : GnuTLS (ZYPP Patch Number 5851)NessusSuSE Local Security Checks
medium
41398SuSE 11 Security Update : GnuTLS (SAT Patch Number 632)NessusSuSE Local Security Checks
medium
40656Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : gnutls12, gnutls13, gnutls26 vulnerabilities (USN-809-1)NessusUbuntu Local Security Checks
high
40224openSUSE Security Update : gnutls (gnutls-605)NessusSuSE Local Security Checks
medium
39973openSUSE Security Update : gnutls (gnutls-605)NessusSuSE Local Security Checks
medium
39972openSUSE Security Update : gnutls (gnutls-358)NessusSuSE Local Security Checks
medium
37965Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : gnutls12, gnutls13, gnutls26 vulnerability (USN-678-1)NessusUbuntu Local Security Checks
medium
37490Fedora 10 2008-10000NessusFedora Local Security Checks
critical
37045Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : gnutls12, gnutls13, gnutls26 regression (USN-678-2)NessusUbuntu Local Security Checks
medium
36960Mandriva Linux Security Advisory : gnutls (MDVSA-2008:227-1)NessusMandriva Local Security Checks
medium
36201openSUSE 10 Security Update : gnutls (gnutls-6079)NessusSuSE Local Security Checks
medium
35637Debian DSA-1719-1 : gnutls13 - design flawNessusDebian Local Security Checks
medium
35379GLSA-200901-10 : GnuTLS: Certificate validation errorNessusGentoo Local Security Checks
medium
35080openSUSE 10 Security Update : gnutls (gnutls-5844)NessusSuSE Local Security Checks
medium
34786FreeBSD : gnutls -- X.509 certificate chain validation vulnerability (45298931-b3bf-11dd-80f8-001cc0377035)NessusFreeBSD Local Security Checks
medium
34752RHEL 5 : gnutls (RHSA-2008:0982)NessusRed Hat Local Security Checks
medium
34750Fedora 8 : gnutls-1.6.3-5.fc8 (2008-9600)NessusFedora Local Security Checks
medium
34748Fedora 9 : gnutls-2.0.4-4.fc9 (2008-9530)NessusFedora Local Security Checks
medium
34731Slackware 12.0 / 12.1 / current : gnutls (SSA:2008-315-01)NessusSlackware Local Security Checks
medium
24386Solaris 10 (x86) : 123939-05 (deprecated)NessusSolaris Local Security Checks
medium
24374Solaris 10 (sparc) : 123938-05 (deprecated)NessusSolaris Local Security Checks
medium