Vulnerability Description
GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The earliest affected version is 3.6.3 (2018-07-16) because of an error in a 2017-10-06 commit. The DTLS client always uses 32 '\0' bytes instead of a random value, and thus contributes no randomness to a DTLS negotiation. This breaks the security guarantees of the DTLS protocol.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gnu | Gnutls | >= 3.6.3, < 3.6.13 |
| Canonical | Ubuntu Linux | 19.10 |
| Debian | Debian Linux | 10.0 |
| Opensuse | Leap | 15.1 |
| Fedoraproject | Fedora | 31 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00015.htmlThird Party Advisory
- https://gitlab.com/gnutls/gnutls/-/commit/5b595e8e52653f6c5726a4cdd8fddeb6e83804PatchThird Party Advisory
- https://gitlab.com/gnutls/gnutls/-/issues/960Issue TrackingPatchThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202004-06Third Party Advisory
- https://security.netapp.com/advisory/ntap-20200416-0002/Third Party Advisory
- https://usn.ubuntu.com/4322-1/Third Party Advisory
- https://www.debian.org/security/2020/dsa-4652Third Party Advisory
- https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-03-31Vendor Advisory
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00015.htmlThird Party Advisory
- https://gitlab.com/gnutls/gnutls/-/commit/5b595e8e52653f6c5726a4cdd8fddeb6e83804PatchThird Party Advisory
- https://gitlab.com/gnutls/gnutls/-/issues/960Issue TrackingPatchThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2020-11501?
CVE-2020-11501 is a vulnerability with a CVSS score of 7.4 (HIGH). GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The earliest affected version is 3.6.3 (2018-07-16) because of an error in a 2017-10-06 commit. The DTLS client always uses 32 '\0' byt...
How severe is CVE-2020-11501?
CVE-2020-11501 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-11501?
Check the references section above for vendor advisories and patch information. Affected products include: Gnu Gnutls, Canonical Ubuntu Linux, Debian Debian Linux, Opensuse Leap, Fedoraproject Fedora.