Severity rating: Meduim
Software affected
GnuTLS version prior to 3.6.14
Overview
A vulnerability has been reported in GnuTLS which could be exploited by a
remote attacker to perform Man-in-the-Middle (MitM) to bypass
authentication or recover previous conversations.
Description
The vulnerability exists in GnuTLS 3.6.x before 3.6.14 due to regression,
introduced into the TLS protocol implementation. This caused the TLS
server to not securely construct a session ticket encryption key generated
by gnutls_session_ticket_key_generate() function considering the
application supplied secret.
Successful exploitation of this vulnerability could allow a
Man-in-the-Middle (MitM) attacker to bypass authentication in TLS 1.3 and
recover previous conversations in TLS 1.2.
Solution
Upgrade to GnuTLS 3.6.14 or later versions to fix this vulnerability.
Vendor information
GnuTLS
References
GnuTLS
NVD
CVE Name
CVE-2020-13777
About Cert Advisory
We have created this blog to provide latest security advisory from the india cert for the security vulnerability, threats, attacks and patching required to mitigate any kind of cyber attacks.