Executive Summary

This vulnerability is a use-after-free flaw in the GnuTLS library, specifically in the function gnutls_pkcs11_token_set_pin. It occurs when an attacker tries to change the Security Officer PIN by calling this function with the old PIN set to NULL on a token that does not have a protected authentication path.

In this scenario, the PKCS#11 URI is freed too early after opening a session, but it is later reused during the PIN retrieval process. This premature freeing leads to a heap use-after-free condition, which can cause memory corruption or process crashes if exploited.

The issue arises because the URI should remain valid until after the PIN retrieval completes, but the current code frees it too soon. A fix involves deferring the freeing of the URI until it is no longer needed.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to memory corruption or process crashes in applications using the affected GnuTLS function. An attacker exploiting this use-after-free flaw could cause denial of service by crashing the process.

Under precise heap manipulation, it might be possible for an attacker to execute more advanced exploits, potentially leading to further compromise of the system or application using GnuTLS.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the use-after-free vulnerability in the gnutls_pkcs11_token_set_pin function, you should apply the patch or update provided by the GnuTLS maintainers that defers freeing the PKCS#11 URI until after all its uses are complete.

Since the vulnerability occurs when changing the Security Officer PIN with a NULL old PIN on tokens lacking a protected authentication path, avoid performing such PIN changes until the fix is applied.

Monitor for updates from your Linux distribution or GnuTLS project and apply security updates promptly once available.

Useful 0 Not Useful 0