Vigil@nce - GnuTLS: memory corruption via ServerHello
June 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can generate a memory corruption via ServerHello of
GnuTLS, in order to trigger a denial of service, and possibly to
execute code.
Impacted products: Debian, Fedora, MBS, MES, openSUSE, RHEL,
Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix
(platform)
Severity: 2/4
Creation date: 30/05/2014
DESCRIPTION OF THE VULNERABILITY
The GnuTLS product implements a SSL/TLS client.
However, a SSL/TLS server can send a malicious ServerHello message
to the GnuTLS client, in order to corrupt its memory.
An attacker can therefore generate a memory corruption via
ServerHello of GnuTLS, in order to trigger a denial of service,
and possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/GnuTLS-memory-corruption-via-ServerHello-14821