CVE-2014-0092

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

References

http://gnutls.org/security.html#GNUTLS-SA-2014-2

http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00000.html

http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00002.html

http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00003.html

http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00004.html

http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00005.html

http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00006.html

http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00007.html

http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00009.html

http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00020.html

http://rhn.redhat.com/errata/RHSA-2014-0246.html

http://rhn.redhat.com/errata/RHSA-2014-0247.html

http://rhn.redhat.com/errata/RHSA-2014-0288.html

http://rhn.redhat.com/errata/RHSA-2014-0339.html

http://secunia.com/advisories/56933

http://secunia.com/advisories/57103

http://secunia.com/advisories/57204

http://secunia.com/advisories/57254

http://secunia.com/advisories/57260

http://secunia.com/advisories/57274

http://secunia.com/advisories/57321

http://www.debian.org/security/2014/dsa-2869

http://www.securityfocus.com/bid/65919

http://www.ubuntu.com/usn/USN-2127-1

https://bugzilla.redhat.com/show_bug.cgi?id=1069865

Details

Source: MITRE

Published: 2014-03-07

Updated: 2016-11-28

Type: CWE-310

Risk Information

CVSS v2

Base Score: 5.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:gnu:gnutls:3.2.0:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.2.1:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.2.2:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.2.3:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.2.4:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.2.5:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.2.6:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.2.7:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.2.8:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.2.8.1:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.2.9:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.2.10:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:*:*:*:*:*:*:*:* versions up to 3.2.11 (inclusive)

Configuration 2

OR

cpe:2.3:a:gnu:gnutls:3.1.0:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.1.1:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.1.2:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.1.3:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.1.4:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.1.5:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.1.6:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.1.7:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.1.8:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.1.9:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.1.10:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.1.11:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.1.12:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.1.13:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.1.14:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.1.15:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.1.16:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.1.17:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.1.18:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.1.19:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:3.1.20:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:*:*:*:*:*:*:*:* versions up to 3.1.21 (inclusive)

Tenable Plugins

View all (28 total)

IDNameProductFamilySeverity
85142OracleVM 3.3 : gnutls (OVMSA-2015-0101)NessusOracleVM Local Security Checks
high
83612SUSE SLES10 Security Update : gnutls (SUSE-SU-2014:0321-1)NessusSuSE Local Security Checks
medium
82325Mandriva Linux Security Advisory : gnutls (MDVSA-2015:072)NessusMandriva Local Security Checks
medium
80631Oracle Solaris Third-Party Patch Update : gnutls (cve_2014_0092_cryptographic_issues)NessusSolaris Local Security Checks
medium
79003RHEL 6 : rhev-hypervisor6 (RHSA-2014:0339)NessusRed Hat Local Security Checks
medium
79001RHEL 4 / 5 / 6 : gnutls (RHSA-2014:0288)NessusRed Hat Local Security Checks
medium
76061GLSA-201406-09 : GnuTLS: Multiple vulnerabilitiesNessusGentoo Local Security Checks
medium
75276openSUSE Security Update : gnutls (openSUSE-SU-2014:0328-1)NessusSuSE Local Security Checks
medium
75274openSUSE Security Update : gnutls (openSUSE-SU-2014:0325-1)NessusSuSE Local Security Checks
medium
73038Fedora 19 : mingw-gnutls-3.1.22-1.fc19 (2014-3493)NessusFedora Local Security Checks
medium
73036Fedora 20 : mingw-gnutls-3.1.22-1.fc20 (2014-3454)NessusFedora Local Security Checks
medium
72949Amazon Linux AMI : gnutls (ALAS-2014-301)NessusAmazon Linux Local Security Checks
medium
72919Mandriva Linux Security Advisory : gnutls (MDVSA-2014:048)NessusMandriva Local Security Checks
medium
72869Fedora 20 : gnutls-3.1.20-4.fc20 (2014-3413)NessusFedora Local Security Checks
medium
72868Fedora 19 : gnutls-3.1.20-4.fc19 (2014-3363)NessusFedora Local Security Checks
medium
72812Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : gnutls26 vulnerability (USN-2127-1)NessusUbuntu Local Security Checks
medium
72808FreeBSD : gnutls -- multiple certificate verification issues (f645aa90-a3e8-11e3-a422-3c970e169bc2)NessusFreeBSD Local Security Checks
medium
72804CentOS 5 : gnutls (CESA-2014:0247)NessusCentOS Local Security Checks
medium
72803CentOS 6 : gnutls (CESA-2014:0246)NessusCentOS Local Security Checks
medium
72797SuSE 11.3 Security Update : gnutls (SAT Patch Number 8949)NessusSuSE Local Security Checks
medium
72796Scientific Linux Security Update : gnutls on SL6.x i386/x86_64 (20140303)NessusScientific Linux Local Security Checks
medium
72795Scientific Linux Security Update : gnutls on SL5.x i386/x86_64 (20140303)NessusScientific Linux Local Security Checks
medium
72794RHEL 5 : gnutls (RHSA-2014:0247)NessusRed Hat Local Security Checks
medium
72793RHEL 6 : gnutls (RHSA-2014:0246)NessusRed Hat Local Security Checks
medium
72792Oracle Linux 5 : gnutls (ELSA-2014-0247)NessusOracle Linux Local Security Checks
medium
72791Oracle Linux 6 : gnutls (ELSA-2014-0246)NessusOracle Linux Local Security Checks
medium
72782Debian DSA-2869-1 : gnutls26 - incorrect certificate verificationNessusDebian Local Security Checks
medium
72781Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : gnutls (SSA:2014-062-01)NessusSlackware Local Security Checks
medium