CVE-2024-0567 – A vulnerability in GnuTLS causes Cockpit to rej... (How to Fix)

Q: What is the severity of CVE-2024-0567?

CVE-2024-0567 has a CVSS score of 7.5 (HIGH). A vulnerability in GnuTLS causes Cockpit to reject certificate chains with distributed trust when using cockpit-certificate-ensure, allowing unauthenticated remote attackers to trigger denial of service. This affects systems running Cockpit with GnuTLS in vulnerable configurations.

📋 TL;DR

A vulnerability in GnuTLS causes Cockpit to reject certificate chains with distributed trust when using cockpit-certificate-ensure, allowing unauthenticated remote attackers to trigger denial of service. This affects systems running Cockpit with GnuTLS in vulnerable configurations.

💻 Affected Systems

Products:

Cockpit (using GnuTLS)
GnuTLS

Versions: GnuTLS versions before 3.8.3, Cockpit versions using vulnerable GnuTLS

Operating Systems: Linux distributions including RHEL, Fedora, CentOS, Debian, Ubuntu

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where cockpit-certificate-ensure is used for certificate chain validation with distributed trust configurations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability for Cockpit web interface and management functions, disrupting system administration capabilities.

🟠

Likely Case

Intermittent service disruptions for Cockpit when certificate validation fails, requiring manual intervention to restore functionality.

🟢

If Mitigated

Minimal impact with proper network segmentation and access controls limiting exposure to untrusted clients.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation allows attackers to easily trigger DoS against exposed Cockpit instances.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could still trigger DoS, but requires network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple certificate chain manipulation can trigger the vulnerability without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: GnuTLS 3.8.3 or later

Vendor Advisory: https://access.redhat.com/security/cve/CVE-2024-0567

Restart Required: Yes

Instructions:

1. Update GnuTLS to version 3.8.3 or later using your distribution's package manager. 2. Restart Cockpit service: systemctl restart cockpit. 3. Verify the update with: gnutls-cli --version

🔧 Temporary Workarounds

Disable cockpit-certificate-ensure

linux

Temporarily disable the certificate validation component that triggers the vulnerability

systemctl stop cockpit
systemctl disable cockpit

Network Access Restriction

linux

Limit Cockpit access to trusted networks only

firewall-cmd --permanent --remove-service=cockpit
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_IP_RANGE" service name="cockpit" accept'
firewall-cmd --reload

🧯 If You Can't Patch

Implement strict network segmentation to isolate Cockpit from untrusted networks
Monitor Cockpit service health and implement automated restart scripts for service recovery

🔍 How to Verify

Check if Vulnerable:

Check GnuTLS version: gnutls-cli --version | grep 'gnutls' and compare to 3.8.3. If version < 3.8.3, system is vulnerable.

Check Version:

gnutls-cli --version

Verify Fix Applied:

Verify GnuTLS version is 3.8.3 or higher: gnutls-cli --version. Test certificate validation with cockpit-certificate-ensure.

📡 Detection & Monitoring

Log Indicators:

Cockpit service crashes or restarts in system logs
Certificate validation errors in Cockpit logs
Increased failed authentication attempts

Network Indicators:

Multiple certificate validation requests from single source
Unusual certificate chain submissions to Cockpit port

SIEM Query:

source="cockpit" AND ("certificate" OR "validation" OR "crash")

📊 Metadata

CVE ID: CVE-2024-0567

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-347

Published: January 16, 2024

Last Updated: November 21, 2024

🔗 References

https://access.redhat.com/errata/RHSA-2024:0533 Third Party Advisory
https://access.redhat.com/errata/RHSA-2024:1082 Third Party Advisory
https://access.redhat.com/errata/RHSA-2024:1383
https://access.redhat.com/errata/RHSA-2024:2094
https://access.redhat.com/security/cve/CVE-2024-0567 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2258544 Exploit,Issue Tracking,Third Party Advisory
https://gitlab.com/gnutls/gnutls/-/issues/1521 Exploit,Issue Tracking,Patch,Vendor Advisory
https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html Mailing List
http://www.openwall.com/lists/oss-security/2024/01/19/3
https://access.redhat.com/errata/RHSA-2024:0533 Third Party Advisory
https://access.redhat.com/errata/RHSA-2024:1082 Third Party Advisory
https://access.redhat.com/errata/RHSA-2024:1383
https://access.redhat.com/errata/RHSA-2024:2094
https://access.redhat.com/security/cve/CVE-2024-0567 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2258544 Exploit,Issue Tracking,Third Party Advisory
https://gitlab.com/gnutls/gnutls/-/issues/1521 Exploit,Issue Tracking,Patch,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZEIOLORQ7N6WRPFXZSYDL2MC4LP7VFV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2/
https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html Mailing List
https://security.netapp.com/advisory/ntap-20240202-0011/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0567, you might also want to check these: