CVE-2004-2531

Vulnerability

In GnuTLS 1.0.16, the X.509 certificate chain verification lacks limits on chain length or RSA key size. An attacker can supply a certificate chain containing many certificates or certificates signed with excessively large RSA keys, causing the verification process to consume disproportionate CPU resources [1].

Exploitation

A remote attacker, without prior authentication, can trigger this vulnerability by presenting a specially crafted certificate chain during a TLS handshake. The chain may include a large number of intermediate certificates or certificates with large RSA public keys, forcing the verifier to perform expensive signature checks [1].

Impact

Successful exploitation leads to a denial of service (CPU exhaustion) on the system performing certificate verification. The service may become unresponsive or crash, but no data confidentiality or integrity is compromised [1].

Mitigation

The issue is fixed in GnuTLS 1.0.17, released on August 2, 2004. This version introduces default limits on certificate chain depth and key sizes, and adds the gnutls_certificate_set_verify_limits() function to allow administrators to configure these limits [1]. No workaround is documented for the vulnerable version.