CVE-2020-13777

gnutls: session resumption works without master key allowing MITM

Severity Score

7.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application.

GnuTLS versiones 3.6.x anteriores a 3.6.14, usa una criptografía incorrecta para cifrar un ticket de sesión (una pérdida de confidencialidad en TLS versión 1.2, y un desvío de autenticación en TLS versión 1.3). La primera versión afectada es la 3.6.4 (24-09-2018) debido a un error en un commit del 18-09-2018. Hasta la primera rotación de claves, el servidor TLS siempre utiliza datos erróneos en lugar de una clave de cifrado derivada de una aplicación

A flaw was found in GnuTLS, in versions starting from 3.6.4, where it does not session the ticket encryption key in a secure fashion by the application which is connecting. This flaw allows an attacker to craft a man-in-the-middle-attack, with the ability to bypass the TLS1.3 authentication and also recover older conversations when TLS1.2 is in use. The highest threat to this flaw is to confidentiality and integrity.

A flaw was reported in the TLS session ticket key construction in GnuTLS, a library implementing the TLS and SSL protocols. The flaw caused the TLS server to not securely construct a session ticket encryption key considering the application supplied secret, allowing a man-in-the-middle attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-06-03 CVE Reserved
2020-06-04 CVE Published
2020-06-13 First Exploit
2024-08-04 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-327: Use of a Broken or Risky Cryptographic Algorithm
CWE-345: Insufficient Verification of Data Authenticity

CAPEC

References (15)

URL	Tag	Source
https://security.netapp.com/advisory/ntap-20200619-0004	Third Party Advisory

URL	Date	SRC
https://github.com/0xxon/cve-2020-13777	2024-07-16
https://github.com/shigeki/challenge_CVE-2020-13777	2020-06-13
https://github.com/prprhyt/PoC_TLS1_3_CVE-2020-13777	2021-12-10

URL	Date	SRC

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00015.html	2023-11-07
https://gnutls.org/security-new.html#GNUTLS-SA-2020-06-03	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6C4DHUKV6M6SJ5CV6KVHZNHNF7HCUE5P	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6RTXZOXC4MHTFE2HKY6IAZMF2WHD2WMV	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RRQBFK3UZ7SV76IYDTS4PS6ABS2DSJHK	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMB3UGI5H5RCFRU6OGRPMNUCNLJGEN7Y	2023-11-07
https://security.gentoo.org/glsa/202006-01	2023-11-07
https://usn.ubuntu.com/4384-1	2023-11-07
https://www.debian.org/security/2020/dsa-4697	2023-11-07
https://access.redhat.com/security/cve/CVE-2020-13777	2020-06-22
https://bugzilla.redhat.com/show_bug.cgi?id=1843723	2020-06-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Gnu Search vendor "Gnu"		Gnutls Search vendor "Gnu" for product "Gnutls"				>= 3.6.0 < 3.6.14 Search vendor "Gnu" for product "Gnutls" and version " >= 3.6.0 < 3.6.14"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				31 Search vendor "Fedoraproject" for product "Fedora" and version "31"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				32 Search vendor "Fedoraproject" for product "Fedora" and version "32"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				19.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "19.10"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				20.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "20.04"		lts		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected