CVE-2020-13777: GnuTLS Vulnerability Found Hidden For 2 Years

June 11, 2020

Vulnerability in GnuTLS termed as CVE-2020-13777, is a widely adopted, open source library that uses TLS (Transport Layer Security)

According to reports, the vulnerability is found to be present in library for approximately 2 years, making resumed TLS 1.3 sessions open for attack. The vulnerability was noticed in GnuTLS 3.6.4 in September 2018, and was addressed later in newer version of GnuTLS 3.6.14 on June 3 2020.

CVE-2020-13777 Vulnerability Explained

Reportedly, this bug actually allowed GnuTLS servers to use session tickets issued during previous secure TLS 1.3 session, without utilizing the function that creates secret keys:

gnutls_session_ticket_key_generate()

Taking advantage of this vulnerability, the attackers could circumvent authentication under TLS 1.3, therefore recovering the previous conversations under TLS 1.2.

As per what the researcher named Airtower have to say:

“GnuTLS servers are able to use tickets issued by each other without access to the secret key as generated by gnutls_session_ticket_key_generate(). This allows a MITM server without valid credentials to resume sessions with a client that first established an initial connection with a server with valid credentials. The issue applies to TLS 1.3, when using TLS 1.2 resumption fails as expected.”

The security researchers have noticed this issue first with Ubuntu version 3.6.13-2ubuntu1 and created it with a new build from master termed as 52e78fle.

Some of the researchers are also arguing that GnuTLS should be eliminated as a dependency, while many of them have voiced their disdain against the library as welll, according to what pointed by TheRegister.

According to MITRE CVE dictionary, the description of CVE-2020-13777 is described as:

“GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application.”

However, there’s no identified mitigation against this vulnerability as clarified by RedHat advisorry.

More Stories

How Optimum Gives a Seamless Gaming Experience?

December 13, 2023

Windows 11 Update: Say Bye To These Features

June 25, 2021

Massachusetts MassNotify Android COVID App Forced By Google

June 21, 2021

You may have missed

impacts

How to Remove Feed.Searchbazak.com from PC

April 30, 2024
impacts

How to Remove MagnaSearch.org from PC

April 30, 2024

How to Remove Adaware Web Companion from PC

April 30, 2024
impacts

How to Remove News-sevame.cc from PC

April 30, 2024
prevention-tips

How to Remove Pergidal.co.in from PC

April 30, 2024