Vigil@nce - GnuTLS: variant of POODLE
February 2016 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, located as a Man-in-the-Middle, can decrypt a SSL
session of an application compiled with GnuTLS, in order to obtain
sensitive information.
Impacted products: Debian, Ubuntu, Unix (platform) not
comprehensive.
Severity: 2/4.
Creation date: 02/12/2015.
DESCRIPTION OF THE VULNERABILITY
The GnuTLS library implements the SSL/TLS protocol.
However, GnuTLS does not check the first padding byte in CBC mode.
This vulnerability is similar to POODLE (VIGILANCE-VUL-15485), but
it is less severe.
An attacker, located as a Man-in-the-Middle, can therefore decrypt
a SSL session of an application compiled with GnuTLS, in order to
obtain sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/GnuTLS-variant-of-POODLE-18409