Login Sign Up

CVE-2023-25824

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in mod_gnutls (TLS module for Apache HTTPD) causes an endless loop when TLS connections timeout during blocking read operations, consuming CPU resources and potentially disk space if trace logging is enabled. It affects all systems running mod_gnutls versions 0.9.0 through 0.12.0, allowing denial of service attacks.

💻 Affected Systems

Products:
  • mod_gnutls
Versions: 0.9.0 to 0.12.0 (inclusive)
Operating Systems: All operating systems running Apache with mod_gnutls
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all configurations using mod_gnutls; impact is worse when trace level logging is enabled due to log spam.

📦 What is this software?

Mod Gnutls by Mod Gnutls Project

View all CVEs affecting Mod Gnutls →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for Apache servers using mod_gnutls, with CPU exhaustion and potential disk space exhaustion from log spam, rendering services unavailable.

🟠

Likely Case

Degraded server performance due to CPU consumption, potentially causing service disruptions or slowdowns for legitimate users.

🟢

If Mitigated

Minimal impact if servers are patched or have the errno fix applied; otherwise, service degradation during TLS connection timeouts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires causing TLS connection timeouts, which can be achieved through network manipulation or resource exhaustion attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.12.1

Vendor Advisory: https://github.com/airtower-luna/mod_gnutls/security/advisories/GHSA-6cfv-fvgm-7pc8

Restart Required: Yes

Instructions:

1. Update mod_gnutls to version 0.12.1 or later. 2. Restart Apache HTTPD service to apply the fix.

🔧 Temporary Workarounds

Apply errno fix

linux

Manually apply the errno fix from the security advisory if patching is not possible.

Refer to the security advisory for specific errno fix details

🧯 If You Can't Patch

  • Disable trace level logging in mod_gnutls configuration to prevent disk space exhaustion
  • Implement network controls to limit TLS connection timeouts and monitor for abnormal CPU usage

🔍 How to Verify

Check if Vulnerable:

Check mod_gnutls version; if between 0.9.0 and 0.12.0 inclusive, the system is vulnerable.

Check Version:

apache2ctl -M | grep gnutls && check mod_gnutls package version via package manager

Verify Fix Applied:

Verify mod_gnutls version is 0.12.1 or later and monitor for CPU spikes during TLS timeouts.

📡 Detection & Monitoring

Log Indicators:

  • Excessive log entries from mod_gnutls with trace logging enabled
  • Repeated timeout or read error messages

Network Indicators:

  • Unusual TLS connection timeouts or failures
  • Increased network latency to Apache servers

SIEM Query:

Search for mod_gnutls log entries with 'timeout' or 'read' errors occurring at high frequency

📊 Metadata

CVE ID: CVE-2023-25824
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-835
Published: February 23, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25824, you might also want to check these:

CVE-2021-42143 9.1

This vulnerability in Contiki-NG tinyDTLS allows remote attackers to cause denial of service and pot...

Same vulnerability type (CWE-835)
CVE-2026-25533 8.8

This vulnerability allows attackers to bypass multiple security layers in Enclave, a JavaScript sand...

Same vulnerability type (CWE-835)
CVE-2023-20083 8.6

A vulnerability in Cisco Firepower Threat Defense (FTD) Software's ICMPv6 inspection with Snort 2 al...

Same vulnerability type (CWE-835)