-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2014-025 Title: SSL/TSL implementation security Issues [1] Version history: 06.03.2014 Initial publication Summary ======= Recently have been published a couple of bugs in ssl/tsl protocol from Apple [1] and GNU [2]. Both affects the authentication of the SSL/TSL protocol, so could lead to a Man-in-the-middle attack. CVE numbers: CVE-2014-0092 CVSS v2 Base Score:5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) [3] CVE-2014-1266 CVSS v2 Base 6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P) [4] Affected Versions ================= All versions of GnuTLS prior to 3.2.12. Apple iOS 7.0.5 and earlier. Original Details ================ Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps. (CVE-2014-1266) A vulnerability was discovered that affects the certificate verification functions of all gnutls versions. A specially crafted certificate could bypass certificate validation checks. The vulnerability was discovered during an audit of GnuTLS for Red Hat. (CVE-2014-0092) What can you do? ================ The first one clearly affects concrete versions of IOS which has to be upgraded [1]. The second one, due to the fact that affects a library, could affect all the software developed with these library; so the developers should publish the proper patches. Any case GNU has publish an upgrade for the library. [2] What to tell your users ======================= N/A More information ================ [1] http://support.apple.com/kb/HT6147 [2] http://www.gnutls.org/security.html [3] https://access.redhat.com/security/cve/CVE-2014-0092 [4] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1266 Best regards, CERT-EU Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJTGHgUAAoJEPpzpNLI8SVoiVYQAJ2Fy+2e2Nbex/CbiqKcTEVb db64tRe3Bp7eN/24CTQSzcqQLYtkV7IKJbBED8GxWJSC5N15SDsEw2XLUf5nOpIi Pdmn5YgaTbyi2sPmI515Ch8YYCQTCfjpcGprcDpxNTdv7f1t17AIIbaNx9EYPVwJ iN5+/dogk7JK+N8F8bgsUCw8k4mO0WKApWkqFrqCO4F5Zo5z1YolLS1XVZuDTRrC xBauoHh3vOXKRyW63DPwTb2MrvZitVlc//EodctB0XMeBJHkHM4JDcLyxhKAaVnO HetdQix/G08NuoCAcHPc4KySOOHBdZ5X6gFdh+4ATDASljYSnonVSq8vvQ4yyaiy mkJqnFLv8UmCiJO1okmaMT/1KnV6N0fOMjY/4P03sprrPf+WQu2aBp2FMQ6w6bCT LPpAW1MG7tyK2WtiN13z88I2CZ1BOf7jt9eD7/cZKYpobZq1c7NyFGUSquJltJDY R2sjop3d7d7sN6a9ig8DBHKs/G4bLokeWshyYL8JbHNEUca7RNDaekHaquWN7W0W CDtJkpDAz90KUdgImt44UtH4OqW6XdxiNjyxipAKylwYSUHyaXx/G6OMhimBMdnZ UDGf4uildVO4GsB7DYwLNC4hE8p8/cwn78NI4vYbhW+9nFjQGsdvRKxImPsfY7qI E8IyEXplhACL7p1sbII0 =He6g -----END PGP SIGNATURE-----