Skip to main content

GnuTLS "read_server_hello()" Remote Code Execution Vulnerability

Last Update Date: 5 Jun 2014 Release Date: 3 Jun 2014 3912 Views

RISK: Medium Risk

TYPE: Security software and application - Security Software & Appliance

TYPE: Security Software & Appliance

A vulnerability has been identified in GnuTLS, which can be exploited by malicious people to compromise an application using the library.

The vulnerability is caused due to a boundary error within the "read_server_hello()" function (lib/gnutls_handshake.c) and can be exploited to cause memory corruption via an overly long session identifier.

Successful exploitation may allow execution of arbitrary code, but requires e.g. tricking a victim into connecting to a malicious server.


Impact

  • Remote Code Execution

System / Technologies affected

  • Versions prior to 3.1.25, prior to 3.2.15, and prior to 3.3.4.

 


Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

  • Update to version 3.1.25, 3.2.15, or 3.3.4.

Vulnerability Identifier


Source


Related Link