CVE-2024-28835 Overview
A denial of service vulnerability has been discovered in GnuTLS, a widely used TLS library, that allows an attacker to crash applications by providing a specially crafted .pem certificate bundle. The flaw is triggered when using the certtool --verify-chain command to verify malformed certificate chains, resulting in an uncaught exception that terminates the application.
Critical Impact
Applications using GnuTLS for certificate verification may be susceptible to denial of service attacks when processing maliciously crafted certificate bundles.
Affected Products
- GnuTLS library (vulnerable versions)
- Red Hat Enterprise Linux (addressed in RHSA-2024:1879, RHSA-2024:2570, RHSA-2024:2889)
- Debian LTS (addressed in September 2024 announcement)
- NetApp products using GnuTLS (addressed in NTAP-20241122-0009)
Discovery Timeline
- 2024-03-21 - CVE-2024-28835 published to NVD
- 2024-03-22 - Vulnerability disclosed on OSS-Security mailing list
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2024-28835
Vulnerability Analysis
This vulnerability (CWE-248: Uncaught Exception) affects the certificate verification functionality within GnuTLS. When the certtool utility attempts to verify a certificate chain using the --verify-chain option, a specially crafted .pem bundle can trigger an unhandled exception condition. This results in the immediate termination of the application, causing a denial of service.
The attack requires local access and some user interaction, as the victim must be induced to process the malicious certificate file. While this limits the attack surface compared to network-exploitable vulnerabilities, it still poses a significant risk in automated certificate processing pipelines, CI/CD environments, or any scenario where certificate bundles from untrusted sources are verified.
Root Cause
The root cause is an uncaught exception (CWE-248) in GnuTLS's certificate chain verification logic. When parsing certain malformed certificate structures within a .pem bundle, the code fails to properly handle exceptional conditions, allowing the exception to propagate uncaught and crash the application. This indicates insufficient input validation and error handling in the certificate parsing routines.
Attack Vector
The attack vector for CVE-2024-28835 is local, requiring the attacker to have the ability to supply a malicious .pem certificate bundle to a target system. Exploitation scenarios include:
- An attacker providing a malicious certificate bundle to be verified by an administrator or automated process
- Uploading malformed certificates to systems that automatically verify certificate chains
- Social engineering attacks tricking users into verifying attacker-controlled certificate files
The vulnerability can be triggered by executing:
certtool --verify-chain < malicious.pem
When a malformed .pem bundle containing specially crafted certificate structures is processed, the verification routine encounters an exceptional condition it cannot handle, resulting in application termination. The specific malformation required to trigger this behavior relates to certificate encoding anomalies that the parser does not gracefully reject. For detailed technical information, refer to the GnuPG mailing list discussion and Red Hat Bug Report #2269084.
Detection Methods for CVE-2024-28835
Indicators of Compromise
- Unexpected crashes or segmentation faults in applications using GnuTLS certificate verification
- Core dumps generated by certtool or applications linked against GnuTLS
- Presence of unusual or malformed .pem files in certificate directories
- Log entries indicating certificate verification failures followed by process termination
Detection Strategies
- Monitor for abnormal process terminations in applications using GnuTLS, particularly those processing external certificates
- Implement file integrity monitoring on certificate storage directories to detect introduction of malformed certificate files
- Configure crash dump collection and analysis for GnuTLS-dependent applications
- Use SentinelOne's behavioral AI to detect anomalous application crashes that may indicate exploitation attempts
Monitoring Recommendations
- Enable logging for certificate verification operations and monitor for unusual patterns
- Set up alerts for repeated certtool crashes or certificate verification failures
- Monitor system logs for GnuTLS-related error messages and unhandled exceptions
- Track the introduction of new certificate files from untrusted sources
How to Mitigate CVE-2024-28835
Immediate Actions Required
- Update GnuTLS to the latest patched version available for your distribution
- Apply security updates from Red Hat (RHSA-2024:1879, RHSA-2024:2570, RHSA-2024:2889) if applicable
- Review and restrict access to certificate verification functionality
- Validate certificate files from untrusted sources in isolated environments before processing
Patch Information
Multiple distributions have released patches addressing this vulnerability:
- Red Hat Security Advisory RHSA-2024:1879
- Red Hat Security Advisory RHSA-2024:2570
- Red Hat Security Advisory RHSA-2024:2889
- Debian LTS Announcement
- NetApp Security Advisory NTAP-20241122-0009
Workarounds
- Avoid processing certificate bundles from untrusted or unknown sources until patches are applied
- Implement input validation to reject obviously malformed .pem files before passing to certtool
- Run certificate verification operations in sandboxed or containerized environments to limit crash impact
- Use alternative certificate verification tools for untrusted certificates until GnuTLS is patched
# Check current GnuTLS version
gnutls-cli --version
# Update GnuTLS on Red Hat/CentOS systems
sudo yum update gnutls
# Update GnuTLS on Debian/Ubuntu systems
sudo apt-get update && sudo apt-get upgrade libgnutls30
# Verify the update was applied
gnutls-cli --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
