CVE-2014-0092medium
New! CVE Severity Now Using CVSS v3
The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
Description
lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
References
http://gnutls.org/security.html#GNUTLS-SA-2014-2
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00003.html
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00004.html
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00005.html
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00006.html
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00007.html
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00009.html
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00020.html
http://rhn.redhat.com/errata/RHSA-2014-0246.html
http://rhn.redhat.com/errata/RHSA-2014-0247.html
http://rhn.redhat.com/errata/RHSA-2014-0288.html
http://rhn.redhat.com/errata/RHSA-2014-0339.html
http://secunia.com/advisories/56933
http://secunia.com/advisories/57103
http://secunia.com/advisories/57204
http://secunia.com/advisories/57254
http://secunia.com/advisories/57260
http://secunia.com/advisories/57274
http://secunia.com/advisories/57321
http://www.debian.org/security/2014/dsa-2869
http://www.securityfocus.com/bid/65919
Vulnerable Software
Configuration 1
OR
cpe:2.3:a:gnu:gnutls:3.2.0:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.2.1:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.2.2:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.2.3:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.2.4:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.2.5:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.2.6:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.2.7:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.2.8:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.2.8.1:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.2.9:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.2.10:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:*:*:*:*:*:*:*:* versions up to 3.2.11 (inclusive)
Configuration 2
OR
cpe:2.3:a:gnu:gnutls:3.1.0:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.1.1:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.1.2:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.1.3:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.1.4:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.1.5:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.1.6:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.1.7:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.1.8:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.1.9:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.1.10:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.1.11:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.1.12:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.1.13:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.1.14:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.1.15:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.1.16:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.1.17:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.1.18:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.1.19:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:3.1.20:*:*:*:*:*:*:*
cpe:2.3:a:gnu:gnutls:*:*:*:*:*:*:*:* versions up to 3.1.21 (inclusive)
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 85142 | OracleVM 3.3 : gnutls (OVMSA-2015-0101) | Nessus | OracleVM Local Security Checks | high |
| 83612 | SUSE SLES10 Security Update : gnutls (SUSE-SU-2014:0321-1) | Nessus | SuSE Local Security Checks | medium |
| 82325 | Mandriva Linux Security Advisory : gnutls (MDVSA-2015:072) | Nessus | Mandriva Local Security Checks | medium |
| 80631 | Oracle Solaris Third-Party Patch Update : gnutls (cve_2014_0092_cryptographic_issues) | Nessus | Solaris Local Security Checks | medium |
| 79003 | RHEL 6 : rhev-hypervisor6 (RHSA-2014:0339) | Nessus | Red Hat Local Security Checks | medium |
| 79001 | RHEL 4 / 5 / 6 : gnutls (RHSA-2014:0288) | Nessus | Red Hat Local Security Checks | medium |
| 76061 | GLSA-201406-09 : GnuTLS: Multiple vulnerabilities | Nessus | Gentoo Local Security Checks | medium |
| 75276 | openSUSE Security Update : gnutls (openSUSE-SU-2014:0328-1) | Nessus | SuSE Local Security Checks | medium |
| 75274 | openSUSE Security Update : gnutls (openSUSE-SU-2014:0325-1) | Nessus | SuSE Local Security Checks | medium |
| 73038 | Fedora 19 : mingw-gnutls-3.1.22-1.fc19 (2014-3493) | Nessus | Fedora Local Security Checks | medium |
| 73036 | Fedora 20 : mingw-gnutls-3.1.22-1.fc20 (2014-3454) | Nessus | Fedora Local Security Checks | medium |
| 72949 | Amazon Linux AMI : gnutls (ALAS-2014-301) | Nessus | Amazon Linux Local Security Checks | medium |
| 72919 | Mandriva Linux Security Advisory : gnutls (MDVSA-2014:048) | Nessus | Mandriva Local Security Checks | medium |
| 72869 | Fedora 20 : gnutls-3.1.20-4.fc20 (2014-3413) | Nessus | Fedora Local Security Checks | medium |
| 72868 | Fedora 19 : gnutls-3.1.20-4.fc19 (2014-3363) | Nessus | Fedora Local Security Checks | medium |
| 72812 | Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : gnutls26 vulnerability (USN-2127-1) | Nessus | Ubuntu Local Security Checks | medium |
| 72808 | FreeBSD : gnutls -- multiple certificate verification issues (f645aa90-a3e8-11e3-a422-3c970e169bc2) | Nessus | FreeBSD Local Security Checks | medium |
| 72804 | CentOS 5 : gnutls (CESA-2014:0247) | Nessus | CentOS Local Security Checks | medium |
| 72803 | CentOS 6 : gnutls (CESA-2014:0246) | Nessus | CentOS Local Security Checks | medium |
| 72797 | SuSE 11.3 Security Update : gnutls (SAT Patch Number 8949) | Nessus | SuSE Local Security Checks | medium |
| 72796 | Scientific Linux Security Update : gnutls on SL6.x i386/x86_64 (20140303) | Nessus | Scientific Linux Local Security Checks | medium |
| 72795 | Scientific Linux Security Update : gnutls on SL5.x i386/x86_64 (20140303) | Nessus | Scientific Linux Local Security Checks | medium |
| 72794 | RHEL 5 : gnutls (RHSA-2014:0247) | Nessus | Red Hat Local Security Checks | medium |
| 72793 | RHEL 6 : gnutls (RHSA-2014:0246) | Nessus | Red Hat Local Security Checks | medium |
| 72792 | Oracle Linux 5 : gnutls (ELSA-2014-0247) | Nessus | Oracle Linux Local Security Checks | medium |
| 72791 | Oracle Linux 6 : gnutls (ELSA-2014-0246) | Nessus | Oracle Linux Local Security Checks | medium |
| 72782 | Debian DSA-2869-1 : gnutls26 - incorrect certificate verification | Nessus | Debian Local Security Checks | medium |
| 72781 | Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : gnutls (SSA:2014-062-01) | Nessus | Slackware Local Security Checks | medium |