CVE-2020-13962
📋 TL;DR
This vulnerability in Qt's SSL/TLS implementation causes OpenSSL error queue mishandling, allowing TLS session failures to disconnect unrelated sessions. It affects Qt 5.12.2 through 5.14.2 and applications using QSslSocket like unofficial Mumble 1.3.0 builds. The primary impact is denial of service through unexpected TLS session termination.
💻 Affected Systems
- Qt
- Mumble (unofficial builds)
- Other applications using QSslSocket
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Leap by Opensuse
Mumble by Mumble
⚠️ Risk & Real-World Impact
Worst Case
Critical TLS-dependent services become unavailable as multiple unrelated sessions disconnect when any single handshake fails, causing cascading service disruption.
Likely Case
Intermittent TLS connection drops affecting applications using QSslSocket, particularly in environments with mixed TLS success/failure rates.
If Mitigated
Limited to occasional connection resets in affected applications, with minimal impact on overall service availability.
🎯 Exploit Status
Exploitation requires ability to trigger TLS handshake failures, which could be achieved through network manipulation or malformed certificates.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Qt 5.14.3 or later, Mumble 1.3.1
Vendor Advisory: https://bugreports.qt.io/browse/QTBUG-83450
Restart Required: Yes
Instructions:
1. Update Qt to version 5.14.3 or later. 2. Update Mumble to version 1.3.1 or later. 3. Restart affected applications/services.
🔧 Temporary Workarounds
Disable TLS for non-critical services
allTemporarily disable TLS/SSL for affected applications where security requirements allow
Network segmentation
allIsolate affected systems to limit propagation of TLS failures
🧯 If You Can't Patch
- Monitor TLS handshake failure rates and investigate spikes immediately
- Implement connection pooling with automatic reconnection for affected services
🔍 How to Verify
Check if Vulnerable:
Check Qt version with 'qmake --version' or examine application dependencies. For Mumble, check if using unofficial 1.3.0 build.Check Version:
qmake --versionVerify Fix Applied:
Verify Qt version is 5.14.3+ and Mumble version is 1.3.1+. Test TLS connections under failure conditions.📡 Detection & Monitoring
Log Indicators:
- Unexpected TLS session disconnections
- OpenSSL error queue warnings
- Multiple simultaneous TLS handshake failures
Network Indicators:
- Spikes in TLS renegotiation attempts
- Unusual patterns of successful/failed TLS connections
SIEM Query:
source="*ssl*" AND ("handshake failure" OR "session disconnected" OR "error queue")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00004.html
- https://bugreports.qt.io/browse/QTBUG-83450
- https://github.com/mumble-voip/mumble/issues/3679
- https://github.com/mumble-voip/mumble/pull/4032
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X6EDPIIAQPVP2CHL2CHDHJ25EECA7UE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQJDBZUYMMF4R5QQKD2HTIKQU2NSKO63/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V3IZY7LKJ6NAXQDFYFR4S7L5BBHYK53K/
- https://security.gentoo.org/glsa/202007-18
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00004.html
- https://bugreports.qt.io/browse/QTBUG-83450
- https://github.com/mumble-voip/mumble/issues/3679
- https://github.com/mumble-voip/mumble/pull/4032
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X6EDPIIAQPVP2CHL2CHDHJ25EECA7UE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQJDBZUYMMF4R5QQKD2HTIKQU2NSKO63/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V3IZY7LKJ6NAXQDFYFR4S7L5BBHYK53K/
- https://security.gentoo.org/glsa/202007-18
