Vigil@nce - GnuTLS: accepting a MD5 signature
May 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who can generate a signature on the fly (unlikely),
can use a weak algorithm (MD5) with applications linked to GnuTLS,
in order to act as a Man-in-the-Middle.
– Impacted products: Fedora, Unix (platform)
– Severity: 1/4
– Creation date: 05/05/2015
DESCRIPTION OF THE VULNERABILITY
The GnuTLS library implements the support of the TLS 1.2
algorithm. In this version, the application can choose any
combination of signature and hash algorithms.
When a TLS client receives a ServerKeyExchange message, it has to
check if the algorithms chosen by the server match its security
policy. Likewise, when a TLS server receives a
ClientCertificateVerify message, it has to check if the algorithms
chosen by the client match its security policy.
However, GnuTLS accepts MD5 signatures in any case.
An attacker, who can generate a signature on the fly (unlikely),
can therefore use a weak algorithm (MD5) with applications linked
to GnuTLS, in order to act as a Man-in-the-Middle.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/GnuTLS-accepting-a-MD5-signature-16813