Vulnerability Details : CVE-2020-11501
GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The earliest affected version is 3.6.3 (2018-07-16) because of an error in a 2017-10-06 commit. The DTLS client always uses 32 '\0' bytes instead of a random value, and thus contributes no randomness to a DTLS negotiation. This breaks the security guarantees of the DTLS protocol.
Products affected by CVE-2020-11501
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gnutls:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-11501
0.25%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 64 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-11501
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST | |
7.4
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
2.2
|
5.2
|
NIST |
CWE ids for CVE-2020-11501
-
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-11501
-
https://security.gentoo.org/glsa/202004-06
GnuTLS: DTLS protocol regression (GLSA 202004-06) — Gentoo securityThird Party Advisory
-
https://usn.ubuntu.com/4322-1/
USN-4322-1: GnuTLS vulnerability | Ubuntu security noticesThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ILMOWPKMTZAIMK5F32TUMO34XCABUCFJ/
[SECURITY] Fedora 31 Update: mingw-gnutls-3.6.13-1.fc31 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-03-31
GnuTLSVendor Advisory
-
https://gitlab.com/gnutls/gnutls/-/issues/960
DTLS client hello contains a random value of all zeroes (#960) · Issues · gnutls / GnuTLS · GitLabIssue Tracking;Patch;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20200416-0002/
CVE-2020-11501 GnuTLS Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://www.debian.org/security/2020/dsa-4652
Debian -- Security Information -- DSA-4652-1 gnutls28Third Party Advisory
-
https://gitlab.com/gnutls/gnutls/-/commit/5b595e8e52653f6c5726a4cdd8fddeb6e83804d2
NEWS: updated for release (5b595e8e) · Commits · gnutls / GnuTLS · GitLabPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WDYY3R4F5CUTFAMXH2C5NKYFVDEJLTT7/
[SECURITY] Fedora 32 Update: mingw-gnutls-3.6.13-1.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00015.html
[security-announce] openSUSE-SU-2020:0501-1: moderate: Security update fThird Party Advisory
Jump to