CVE-2024-12243: 
GnuTLS vulnerability analysis and mitigation

A vulnerability (CVE-2024-12243) was discovered in GnuTLS, which relies on libtasn1 for ASN.1 data processing. The flaw was disclosed on February 10, 2025, and affects GnuTLS implementations that use libtasn1 for certificate processing. The vulnerability stems from an inefficient algorithm in libtasn1's DER-encoded certificate data processing mechanism (NVD, Red Hat CVE).

The vulnerability is caused by an inefficient algorithmic implementation in libtasn1's DER sequence processing. The issue manifests in two ways: decoding a DER input with sequences and locating specific elements in a sequence. While DER sequences are conceptually arrays, libtasn1 implements them as linked lists with string name assignments, resulting in O(N) time complexity for element lookups and O(N^2) time complexity for decoding sequences due to backward linear searches for parent nodes. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (Snyk).

When exploited, this vulnerability can lead to a denial-of-service condition by causing GnuTLS to become unresponsive or significantly slow down when processing specially crafted certificates. The impact primarily affects system availability, with no direct effect on confidentiality or integrity. The vulnerability allows attackers to trigger CPU resource exhaustion through the processing of malformed certificates containing numerous meaningless fields (GitLab Issue).

Various distributions have released security updates to address this vulnerability. Ubuntu has released version 3.8.3-1.1ubuntu3.3 for Ubuntu 24.04, and Debian has also issued security updates. Organizations are advised to update their GnuTLS installations to the latest patched versions (Debian LTS).