[email protected]CVE-2014-3466

HistoryJun 03, 2014 - 2:55 p.m.

CVE-2014-3466

2014-06-0314:55:10

CWE-119

[email protected]

web.nvd.nist.gov

cve-2014-3466

buffer overflow

gnutls

remote code execution

memory corruption

nvd

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

7.4 High

AI Score

Confidence

High

0.661 Medium

EPSS

Percentile

97.9%

JSON

Buffer overflow in the read_server_hello function in lib/gnutls_handshake.c in GnuTLS before 3.1.25, 3.2.x before 3.2.15, and 3.3.x before 3.3.4 allows remote servers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a long session id in a ServerHello message.

Affected configurations

NVD

Node

gnugnutlsMatch3.3.0-

gnugnutlsMatch3.3.0pre0

gnugnutlsMatch3.3.1

gnugnutlsMatch3.3.2

gnugnutlsMatch3.3.3

Node

gnugnutlsRange≤3.1.24

gnugnutlsMatch3.1.0

gnugnutlsMatch3.1.1

gnugnutlsMatch3.1.2

gnugnutlsMatch3.1.3

gnugnutlsMatch3.1.4

gnugnutlsMatch3.1.5

gnugnutlsMatch3.1.6

gnugnutlsMatch3.1.7

gnugnutlsMatch3.1.8

gnugnutlsMatch3.1.9

gnugnutlsMatch3.1.10

gnugnutlsMatch3.1.11

gnugnutlsMatch3.1.12

gnugnutlsMatch3.1.13

gnugnutlsMatch3.1.14

gnugnutlsMatch3.1.15

gnugnutlsMatch3.1.16

gnugnutlsMatch3.1.17

gnugnutlsMatch3.1.18

gnugnutlsMatch3.1.19

gnugnutlsMatch3.1.20

gnugnutlsMatch3.1.21

gnugnutlsMatch3.1.22

gnugnutlsMatch3.1.23

Node

gnugnutlsMatch3.2.0

gnugnutlsMatch3.2.1

gnugnutlsMatch3.2.2

gnugnutlsMatch3.2.3

gnugnutlsMatch3.2.4

gnugnutlsMatch3.2.5

gnugnutlsMatch3.2.6

gnugnutlsMatch3.2.7

gnugnutlsMatch3.2.8

gnugnutlsMatch3.2.8.1

gnugnutlsMatch3.2.9

gnugnutlsMatch3.2.10

gnugnutlsMatch3.2.11

gnugnutlsMatch3.2.12

gnugnutlsMatch3.2.12.1

gnugnutlsMatch3.2.13

gnugnutlsMatch3.2.14

CPENameOperatorVersion
gnu:gnutlsgnu gnutlseq3.3.0
gnu:gnutlsgnu gnutlseq3.3.1
gnu:gnutlsgnu gnutlseq3.3.2
gnu:gnutlsgnu gnutlseq3.3.3

CPE	Name	Operator	Version
gnu:gnutls	gnu gnutls	eq	3.3.0
gnu:gnutls	gnu gnutls	eq	3.3.1
gnu:gnutls	gnu gnutls	eq	3.3.2
gnu:gnutls	gnu gnutls	eq	3.3.3

References

linux.oracle.com/errata/ELSA-2014-0594.html

linux.oracle.com/errata/ELSA-2014-0595.html

lists.opensuse.org/opensuse-security-announce/2014-06/msg00002.html

lists.opensuse.org/opensuse-security-announce/2014-06/msg00007.html

lists.opensuse.org/opensuse-security-announce/2014-06/msg00010.html

lists.opensuse.org/opensuse-security-announce/2014-06/msg00015.html

radare.today/technical-analysis-of-the-gnutls-hello-vulnerability/

rhn.redhat.com/errata/RHSA-2014-0594.html

rhn.redhat.com/errata/RHSA-2014-0595.html

rhn.redhat.com/errata/RHSA-2014-0684.html

rhn.redhat.com/errata/RHSA-2014-0815.html

secunia.com/advisories/58340

secunia.com/advisories/58598

secunia.com/advisories/58601

secunia.com/advisories/58642

secunia.com/advisories/59016

secunia.com/advisories/59021

secunia.com/advisories/59057

secunia.com/advisories/59086

secunia.com/advisories/59408

secunia.com/advisories/59838

secunia.com/advisories/60384

www-01.ibm.com/support/docview.wss?uid=swg21678776

www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096155

www.debian.org/security/2014/dsa-2944

www.gnutls.org/security.html

www.novell.com/support/kb/doc.php?id=7015302

www.novell.com/support/kb/doc.php?id=7015303

www.securityfocus.com/bid/67741

www.securitytracker.com/id/1030314

www.ubuntu.com/usn/USN-2229-1

bugzilla.redhat.com/show_bug.cgi?id=1101932

www.gitorious.org/gnutls/gnutls/commit/688ea6428a432c39203d00acd1af0e7684e5ddfd

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

7.4 High

AI Score

Confidence

High

0.661 Medium

EPSS

Percentile

97.9%

JSON

CVE-2014-3466

Affected configurations

References

Related