GINZINGER SECURITY ALERT: SERIOUS SECURITY VULNERABILITY IN GNUTLS (CVE-2020-13777)
A serious security vulnerability has been discovered in GnuTLS. The vulnerability can be exploited to decrypt or read TLS connections when using GnuTLS. More details about this vulnerability can be found here:
- Heise Online: Massives Sicherheitsproblem in GnuTLS erlaubt Mitlesen von Kommunikation
- GitLab: CVE-2020-13777: TLS 1.3 session resumption works without master key, allowing MITM
The following GELin releases are affected
- 19.04 (gnutls-3.6.6)
- 19.10 (gnutls-220.127.116.11)
- 20.04 (gnutls-3.6.13)
Components directly affected in GELin are libsoap (C SOAP library) and libmicrohttp (C HTTP library). However, it cannot be excluded that other components in certain usecases/configurations also use GnuTLS and are vulnerable too.
We suggest the following procedure:
- For projects where connectivity and especially TLS play a role, we strongly recommend an update.
- If you are not currently and directly affected, we should decide on a procedure together to consider an update of your systems in the near future.
- For the currently maintained Ginzinger GELin Release 20.04 there will be a correction (20.04a) as of 22.6.2020 and can be requested free of charge by customers with maintenance contract.
- Necessary adjustments in older versions can be carried out as a service.
Your known contact persons are available for further support.