Security Bulletin: TS3000 code level v7.x affected by Open Source GnuTLS cyrpto issue (CVE-2014-0092)

Summary

A security vulnerability has been found that affects certain level of TSSC code.

Vulnerability Details

** **lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. This vulnerability may allow for modification of files on the TSSC host from an unauthenticated user when accessing the TSSC remotely through the service web page.

CVSS Base Score: 4.3 CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/91486&gt; for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

TSSC 7.0-7.2

Remediation/Fixes

TSSC 7.3.15 contains GnuTLS 2.8.5-13, which has been patched to fix this vulnerability. Upgrade to 7.3.15 is recommended.

Workarounds and Mitigations

No known workarounds. TSSC should be updated to 7.3.15 to address this issue. No fixes are planned for 7.0-7.2.