CVE-2024-12243 Overview
A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition.
Critical Impact
Remote attackers can exploit this algorithmic complexity vulnerability to cause denial of service by sending maliciously crafted DER-encoded certificates, consuming excessive CPU resources and rendering GnuTLS-dependent services unresponsive.
Affected Products
- GnuTLS (all versions using vulnerable libtasn1)
- libtasn1 library
- Linux distributions with affected GnuTLS/libtasn1 packages (Red Hat, Debian, NetApp products)
Discovery Timeline
- 2025-02-10 - CVE-2024-12243 published to NVD
- 2025-10-06 - Last updated in NVD database
Technical Details for CVE-2024-12243
Vulnerability Analysis
This vulnerability (CWE-407: Inefficient Algorithmic Complexity) resides in the libtasn1 library, which GnuTLS uses for parsing ASN.1 encoded data structures. When processing certain specially crafted DER-encoded certificate data, the decoding algorithm exhibits inefficient behavior that consumes disproportionate CPU resources relative to the input size.
The attack can be executed remotely over the network without requiring authentication or user interaction. The vulnerability specifically impacts the availability of affected systems while confidentiality and integrity remain unaffected. An attacker can craft malicious certificate data that triggers the worst-case algorithmic behavior in the ASN.1 decoding routines, causing legitimate certificate processing operations to stall or fail.
Root Cause
The root cause is an inefficient algorithm implementation within libtasn1's DER-encoded data processing routines. When parsing specific patterns of nested or structured ASN.1 elements, the algorithm's time complexity becomes exponential or otherwise disproportionate, allowing attackers to craft input that maximizes processing time while minimizing payload size.
Attack Vector
The attack vector is network-based, where a remote attacker can submit specially crafted DER-encoded certificate data to any service utilizing GnuTLS for TLS/SSL connections or certificate validation. Common attack scenarios include:
- Sending malformed certificates during TLS handshake negotiations
- Submitting crafted certificates to services that perform certificate validation
- Exploiting any endpoint that processes ASN.1 encoded data through GnuTLS/libtasn1
The vulnerability does not require privileges or user interaction, making it suitable for automated attacks against exposed services. The technical details of the vulnerability are documented in the GitLab Issue #52 for the libtasn1 project.
Detection Methods for CVE-2024-12243
Indicators of Compromise
- Abnormally high CPU utilization on systems running GnuTLS-based services during TLS handshakes
- Increased latency or timeouts in certificate validation operations
- Services becoming unresponsive when processing incoming TLS connections
- Log entries indicating certificate parsing failures or timeouts
Detection Strategies
- Monitor CPU usage patterns on GnuTLS-dependent services for sustained spikes during certificate processing
- Implement network traffic analysis to identify anomalous certificate sizes or structures in TLS handshakes
- Deploy application performance monitoring to detect latency increases in TLS operations
- Configure alerting for service availability degradation on systems using affected libraries
Monitoring Recommendations
- Establish baseline metrics for certificate processing times and alert on significant deviations
- Implement rate limiting on TLS connection attempts to mitigate volumetric exploitation
- Monitor system resource utilization including CPU and memory on critical services using GnuTLS
- Review logs from TLS-enabled services for recurring certificate parsing errors or abnormal patterns
How to Mitigate CVE-2024-12243
Immediate Actions Required
- Update libtasn1 and GnuTLS packages to patched versions from your distribution vendor
- Review and apply security advisories from Red Hat, Debian, and NetApp as applicable
- Consider implementing rate limiting on services accepting untrusted certificates
- Monitor affected systems for signs of exploitation while patches are applied
Patch Information
Multiple vendors have released security updates addressing this vulnerability:
- Red Hat Security Advisory RHSA-2025:17361
- Red Hat Security Advisory RHSA-2025:4051
- Red Hat Security Advisory RHSA-2025:7076
- Red Hat Security Advisory RHSA-2025:8020
- Red Hat Security Advisory RHSA-2025:8385
- Debian LTS Announcement February 2025
- NetApp Security Advisory NTAP-20250523-0002
For detailed CVE information, consult the Red Hat CVE Details or Red Hat Bugzilla Report 2344615.
Workarounds
- Implement network-level filtering to restrict TLS connections to trusted sources where feasible
- Deploy connection rate limiting to reduce the impact of potential exploitation attempts
- Consider using alternative TLS libraries for critical services until patches can be applied
- Isolate affected services and implement additional monitoring for resource exhaustion indicators
# Example: Update libtasn1 and GnuTLS on Red Hat-based systems
sudo dnf update libtasn1 gnutls
# Example: Update on Debian-based systems
sudo apt update && sudo apt upgrade libtasn1-6 gnutls-bin libgnutls30
# Verify installed versions after patching
rpm -q libtasn1 gnutls # Red Hat/CentOS
dpkg -l | grep -E 'libtasn1|gnutls' # Debian/Ubuntu
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
