GnuTLS OCSP Response Handling Vulnerability Allows Acceptance of Revoked Certificates

A vulnerability in GnuTLS's handling of Online Certificate Status Protocol (OCSP) responses can lead to a security bypass during TLS handshakes. This issue arises from a logic error in processing multi-record OCSP responses. A remote attacker could exploit this flaw by presenting a crafted OCSP response, causing a client with OCSP verification enabled to incorrectly accept a revoked server certificate. As a result, this could compromise the trust relationship between the client and server.

Impact

Exploitation of this vulnerability allows a client to accept a revoked server certificate, bypassing OCSP revocation checks. This creates an order-dependent acceptance issue, where the same revoked certificate can be accepted or rejected based on the OCSP response record order.

Reproduction

The vulnerability can be reproduced by stapling a multi-record OCSP response to a server certificate. The response must be crafted so that record 0, which is read unconditionally, indicates a 'good' status for a different certificate, while the matching record for the server certificate is later in the response and indicates 'revoked'. When the client processes this response, it will incorrectly accept the revoked certificate, demonstrating the flaw.

Remediation

Users can upgrade to GnuTLS version 3.8.13, where this vulnerability has been fixed.