CVE-2024-12243
📋 TL;DR
This vulnerability in GnuTLS (via libtasn1) allows remote attackers to cause denial-of-service by sending specially crafted certificates that trigger inefficient ASN.1 decoding algorithms, leading to excessive resource consumption and unresponsive services. Any system using vulnerable versions of GnuTLS for TLS/SSL certificate processing is affected, particularly servers accepting client certificates or processing untrusted certificate chains.
💻 Affected Systems
- GnuTLS
- libtasn1
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Critical services become completely unresponsive, causing extended downtime and cascading failures in dependent systems.
Likely Case
Performance degradation and intermittent service slowdowns under attack, reducing availability and increasing latency.
If Mitigated
Minimal impact with proper rate limiting, certificate validation, and monitoring in place.
🎯 Exploit Status
Attack requires ability to send crafted certificates to vulnerable service. No authentication needed if service accepts client certificates.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: GnuTLS 3.8.6 or later, libtasn1 4.19.0 or later
Vendor Advisory: https://access.redhat.com/errata/RHSA-2025:17361
Restart Required: Yes
Instructions:
1. Update GnuTLS and libtasn1 packages via system package manager. 2. For RHEL/CentOS: yum update gnutls libtasn1. 3. Restart affected services using GnuTLS. 4. Verify updated versions are in use.
🔧 Temporary Workarounds
Rate limit certificate processing
allImplement rate limiting on certificate validation endpoints to reduce DoS impact
# Configure web server or application rate limiting for TLS handshake endpoints
Disable client certificate authentication
allIf not required, disable client certificate authentication to reduce attack surface
# Modify TLS configuration to require only server certificates
🧯 If You Can't Patch
- Implement strict certificate validation and reject malformed certificates early in processing
- Deploy network-level protections like WAF or load balancers to filter suspicious certificate traffic
🔍 How to Verify
Check if Vulnerable:
Check GnuTLS and libtasn1 versions: gnutls-cli --version && libtasn1-config --versionCheck Version:
gnutls-cli --version 2>/dev/null | head -1 && libtasn1-config --version 2>/dev/nullVerify Fix Applied:
Verify versions are >=3.8.6 for GnuTLS and >=4.19.0 for libtasn1📡 Detection & Monitoring
Log Indicators:
- Unusually long TLS handshake times
- High CPU usage by GnuTLS processes
- Certificate validation timeout errors
Network Indicators:
- Multiple TLS connections with malformed certificates
- Unusual certificate sizes or structures
SIEM Query:
source="*tls*" AND (message="*timeout*" OR message="*certificate*" OR message="*handshake*") AND duration>5s🔗 References
- https://access.redhat.com/errata/RHSA-2025:17361
- https://access.redhat.com/errata/RHSA-2025:4051
- https://access.redhat.com/errata/RHSA-2025:7076
- https://access.redhat.com/errata/RHSA-2025:8020
- https://access.redhat.com/errata/RHSA-2025:8385
- https://access.redhat.com/security/cve/CVE-2024-12243
- https://bugzilla.redhat.com/show_bug.cgi?id=2344615
- https://gitlab.com/gnutls/libtasn1/-/issues/52
- https://lists.debian.org/debian-lts-announce/2025/02/msg00027.html
- https://security.netapp.com/advisory/ntap-20250523-0002/
