GnuTLS Case-Sensitive Name Constraints Comparison Vulnerability Allows Policy Bypass

A vulnerability in GnuTLS has been identified, where the library performs case-sensitive comparisons of nameConstraints labels in X.509 certificates. This issue specifically affects dNSName (DNS) and rfc822Name (email) constraints within excludedSubtrees or permittedSubtrees. A remote attacker can exploit this flaw by crafting a leaf certificate with intentional casing differences in the Subject Alternative Name (SAN). As a result, a certificate that should be rejected is accepted, leading to a policy bypass. This vulnerability could enable unauthorized access or information disclosure, particularly in environments that rely on nameConstraints to enforce domain boundaries in delegated Public Key Infrastructure (PKI) hierarchies.

Impact

Exploitation of this vulnerability allows a constrained subordinate Certificate Authority (CA) to issue certificates for domains that should be restricted, bypassing nameConstraints enforcement. This could lead to unauthorized certificate validation and potential TLS impersonation of services associated with the excluded domains.

Reproduction

The vulnerability can be reproduced by creating a leaf certificate that violates the nameConstraints set by a constrained sub-CA. This can be done by using a mixed-case DNS name or email address that differs only by case from the excluded names in the constraints. When the certificate is verified using GnuTLS, it will be incorrectly accepted as valid, despite violating the specified constraints.

Remediation

Users can upgrade to GnuTLS version 3.8.13, which addresses this vulnerability by implementing case-insensitive string comparisons for nameConstraints, ensuring proper enforcement of exclusion rules.