Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   GnuTLS Vendors:
GnuTLS X.509 Certificate Chain Validation Process Lets Remote Users Deny Service
SecurityTracker Alert ID:  1010838
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 2 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.0.16 and prior versions
Description:   A vulnerability was reported in GnuTLS in the verification of X.509 certificate chains. A remote user can cause denial of service conditions on the target system.

Patrik Hornik reported that a remote user can create a specially crafted certificate signature using arbitrary RSA or DSA keys to cause the target system to consume excessive CPU resources attempting to validate the certificate chain. This is because in GnuTLS, certificates are checked from the first certificate to the last certificate and the software does not limit the length of the certificate chain or the size of keys. So, a remote user can use a large key to sign a certificate to cause the target system to consume excessive CPU resources in attempting to verify the signature.

The original advisory is available at:

Impact:   A remote user can cause excessive CPU resources to be consumed on the target system.
Solution:   The vendor has issued a new version (1.0.17) that includes limits on key size and chain length, available at:

Vendor URL: (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any)

Message History:   None.

 Source Message Contents

Subject:  SA-20040802 GnuTLS certificate chain verification bug

Hash: SHA1

Security advisory 20040802
- ----------------------------------------------------------------------
  Product:                  GnuTLS
  Vulnerability type:       wrong algorithm
  Impact:                   DoS
  Severity:                 low
  Issue date:               2004/08/02
  Last updated:             2004/08/02

- -----------

Mr.   Hornik   has   discovered  error  in  X.509  certificate chain
verification procedure in GnuTLS library. The certificate chain should
be verified from last root certificate to the first certificate.
Otherwise  a lot of unauthorized CPU processing can be forced to check
certificate signatures signed with arbitrary RSA/DSA keys chosen by

In GnuTLS the signatures are checked from first to last certificate,
there is no limit on size of keys and no limit on length of
certificate chain.

- -------------

GnuTLS library checks the signatures from first to last root
certificate of chain, there is no limit on size of keys and no limit
on length of certificate chain. So attacker can construct such
certificate chain that signature signed with chosen RSA key with
chosen size will be verified. This is not the case when verifying from
last root certificate to first - there are checked signatures signed
by trusted certificates and so trusted keys only.

The main problem is that size of key can be chosen - with RSA keys the
complexity of verifying signature is dependent on square of key size.
So for example verifying signature signed with 32768 bit RSA key takes
approximately 1024 times longer than verifying signature signed with
1024 bit RSA key (with simillar bit length of e). Because RSA
verification is not simple operation with longer keys one verification
takes such significant amount of processing power that you can
effectively launch DoS on CPU resources of remote machine running

Who is affected?
- ----------------

Affected  are  all  users  using  GnuTLS library version 1.0.16 and
below for verifying X.509 certificate chains.

The version 1.0.17 with this issue fixed by introducing some limits on
key size and chain length is available from vendor together with this

- ---------------

Upgrade  your  GnuTLS library to the version 1.0.17 or later with this
issue fixed and restart all dependant applications if needed.

- ----------

This security advisory:


- -------

Patrik Hornik
- --
Phone: +421 905 385 666
PGP KeyID: 940AA357

Version: PGPfreeware 6.0.2i



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC