Apache mod_gnutls Missing Key Purpose Check in Client Certificate Verification Vulnerability

A vulnerability exists in the mod_gnutls module for Apache HTTPD, prior to version 0.13.0, where the client certificate verification process did not properly account for the key purpose specified in the Extended Key Usage extension. This oversight allowed an attacker with access to the private key of a valid certificate, issued by a CA trusted for TLS client authentication but intended for a different purpose, to misuse that certificate and gain unauthorized access to resources requiring TLS client authentication. However, server configurations that do not utilize client certificates are not affected.

Impact

Exploitation of this vulnerability could lead to unauthorized access to resources that require TLS client authentication, by allowing the misuse of certificates intended for different purposes.

Remediation

Users can upgrade to mod_gnutls version 0.13.0 or later, where this issue has been addressed. For versions prior to 0.13.0, the default server configuration does not use client certificates, which mitigates the vulnerability. If dedicated CAs are used for issuing TLS client certificates only, the issue has no practical impact.