[Ach] GnuTLS Buffer-overflow in ServerHello SessionID parsing

Aaron Zauner azet at azet.org
Sun Jun 1 15:57:42 CEST 2014



A flaw was found in the way GnuTLS parsed session ids from Server
Hello packets of the TLS/SSL handshake.  A malicious server could
use this flaw to send an excessively long session id value and
trigger a buffer overflow in a connecting TLS/SSL client using
GnuTLS, causing it to crash or, possibly, execute arbitrary code.

The flaw is in read_server_hello() / _gnutls_read_server_hello(),
where session_id_len is checked to not exceed incoming packet size,
but not checked to ensure it does not exceed maximum session id

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140601/3f5ea3d0/attachment.sig>

More information about the Ach mailing list