Unrated severityNVD Advisory· Published Apr 3, 2020· Updated Aug 4, 2024

CVE-2020-11501

Description

GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The earliest affected version is 3.6.3 (2018-07-16) because of an error in a 2017-10-06 commit. The DTLS client always uses 32 '\0' bytes instead of a random value, and thus contributes no randomness to a DTLS negotiation. This breaks the security guarantees of the DTLS protocol.

Affected products

GnuTLS/GnuTLSdescription
osv-coords33 versions
pkg:apk/chainguard/gnutls pkg:apk/chainguard/gnutls-c++pkg:apk/chainguard/gnutls-c%2B%2B pkg:apk/chainguard/gnutls-dev pkg:apk/chainguard/gnutls-doc pkg:apk/chainguard/gnutls-utils pkg:apk/wolfi/gnutls pkg:apk/wolfi/gnutls-c++pkg:apk/wolfi/gnutls-c%2B%2B pkg:apk/wolfi/gnutls-dev pkg:apk/wolfi/gnutls-doc pkg:apk/wolfi/gnutls-utils pkg:rpm/opensuse/gmp&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/gnutls&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/libnettle&distro=openSUSE%20Leap%2015.1 pkg:rpm/suse/gmp&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOS pkg:rpm/suse/gmp&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSS pkg:rpm/suse/gmp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1 pkg:rpm/suse/gmp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Certifications%2015%20SP3 pkg:rpm/suse/gmp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1 pkg:rpm/suse/gmp&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSS pkg:rpm/suse/gmp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015 pkg:rpm/suse/gnutls&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOS pkg:rpm/suse/gnutls&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSS pkg:rpm/suse/gnutls&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1 pkg:rpm/suse/gnutls&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSS pkg:rpm/suse/gnutls&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015 pkg:rpm/suse/libnettle&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOS pkg:rpm/suse/libnettle&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSS pkg:rpm/suse/libnettle&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1 pkg:rpm/suse/libnettle&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Certifications%2015%20SP3 pkg:rpm/suse/libnettle&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSS pkg:rpm/suse/libnettle&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015
< 0+ 32 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 6.1.2-lp151.4.3.1
- (no CPE)range: < 3.6.7-lp151.2.6.1
- (no CPE)range: < 3.4.1-lp151.2.3.2
- (no CPE)range: < 6.1.2-4.3.1
- (no CPE)range: < 6.1.2-4.3.1
- (no CPE)range: < 6.1.2-4.3.1
- (no CPE)range: < 6.1.2-4.3.1
- (no CPE)range: < 6.1.2-4.3.1
- (no CPE)range: < 6.1.2-4.3.1
- (no CPE)range: < 6.1.2-4.3.1
- (no CPE)range: < 3.6.7-6.14.1
- (no CPE)range: < 3.6.7-6.14.1
- (no CPE)range: < 3.6.7-6.14.1
- (no CPE)range: < 3.6.7-6.14.1
- (no CPE)range: < 3.6.7-6.14.1
- (no CPE)range: < 3.4.1-4.12.1
- (no CPE)range: < 3.4.1-4.12.1
- (no CPE)range: < 3.4.1-4.12.1
- (no CPE)range: < 3.4.1-4.12.1
- (no CPE)range: < 3.4.1-4.12.1
- (no CPE)range: < 3.4.1-4.12.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.opensuse.org/opensuse-security-announce/2020-04/msg00015.htmlmitrevendor-advisoryx_refsource_SUSE
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ILMOWPKMTZAIMK5F32TUMO34XCABUCFJ/mitrevendor-advisoryx_refsource_FEDORA
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WDYY3R4F5CUTFAMXH2C5NKYFVDEJLTT7/mitrevendor-advisoryx_refsource_FEDORA
security.gentoo.org/glsa/202004-06mitrevendor-advisoryx_refsource_GENTOO
usn.ubuntu.com/4322-1/mitrevendor-advisoryx_refsource_UBUNTU
www.debian.org/security/2020/dsa-4652mitrevendor-advisoryx_refsource_DEBIAN
gitlab.com/gnutls/gnutls/-/commit/5b595e8e52653f6c5726a4cdd8fddeb6e83804d2mitrex_refsource_MISC
gitlab.com/gnutls/gnutls/-/issues/960mitrex_refsource_MISC
security.netapp.com/advisory/ntap-20200416-0002/mitrex_refsource_CONFIRM
www.gnutls.org/security-new.htmlmitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.009
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000