Vigil@nce - GnuTLS: denial of service via ciphertext_to_compressed
April 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use an invalid TLS block, in order to stop
applications linked to GnuTLS.
Severity: 2/4
Creation date: 21/03/2012
IMPACTED PRODUCTS
– Debian Linux
– Fedora
– Mandriva Enterprise Server
– Mandriva Linux
– Red Hat Enterprise Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The GnuTLS library implements SSL/TLS.
The ciphertext_to_compressed() function of the lib/gnutls_cipher.c
file decodes data. However, if data size is not a multiple of the
block size, the GNUTLS_E_DECRYPTION_FAILED error is not returned,
so the function continues. It then calls _gnutls_auth_cipher_add_auth()
which tries to read at an invalid memory address.
An attacker can therefore use an invalid TLS block, in order to
stop applications linked to GnuTLS.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/GnuTLS-denial-of-service-via-ciphertext-to-compressed-11465