mod_gnutls missing key purpose check in client certificate verification
traduzindo…Plataforma
apache
Componente
mod_gnutls
Corrigido em
0.13.1
CVE-2026-33308 is a medium-severity vulnerability affecting modgnutls, a TLS module for Apache HTTPD. This flaw stems from inadequate verification of the key purpose within client certificates, potentially allowing unauthorized access. Versions of modgnutls prior to 0.13.0 are vulnerable, while servers not utilizing client certificate authentication are unaffected.
Impacto e Cenários de Ataquetraduzindo…
An attacker exploiting this vulnerability could leverage a valid client certificate issued by a trusted Certificate Authority (CA), but with a key purpose not intended for TLS client authentication. By presenting this certificate, the attacker could bypass the intended authentication checks and gain access to resources requiring TLS client authentication. The potential impact includes unauthorized data access, modification, or deletion, depending on the privileges associated with the authenticated user. This vulnerability highlights the importance of proper certificate validation and key usage restrictions in TLS configurations.
Contexto de Exploraçãotraduzindo…
This CVE was publicly disclosed on 2026-03-24. Currently, there are no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The vulnerability's impact is contingent on the configuration of Apache HTTPD and the use of TLS client authentication.
Quem Está em Riscotraduzindo…
Organizations running Apache HTTPD with mod_gnutls versions prior to 0.13.0 and utilizing TLS client authentication are at risk. This includes environments relying on client certificates for secure access to web applications and APIs, particularly those with legacy systems or custom authentication implementations.
Passos de Detecçãotraduzindo…
• apache / server:
# Check mod_gnutls version
httpd -M | grep gnutls
# Review Apache configuration for GnuTLSClientVerify directive
grep -r 'GnuTLSClientVerify' /etc/httpd/conf/*Linha do Tempo do Ataque
- Disclosure
disclosure
Inteligência de Ameaças
Status do Exploit
EPSS
0.03% (percentil 10%)
CISA SSVC
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
- Attack Complexity
- Alta — exige condição de corrida, configuração não padrão ou circunstâncias específicas.
- Privileges Required
- Nenhum — sem autenticação necessária para explorar.
- User Interaction
- Nenhuma — ataque automático e silencioso. A vítima não faz nada.
- Scope
- Alterado — o ataque pode pivotar para além do componente vulnerável.
- Confidentiality
- Alto — perda total de confidencialidade. O atacante pode ler todos os dados.
- Integrity
- Nenhum — sem impacto na integridade.
- Availability
- Nenhum — sem impacto na disponibilidade.
Software Afetado
Classificação de Fraqueza (CWE)
Linha do tempo
- Reservado
- Publicada
- EPSS atualizado
Mitigação e Soluções Alternativastraduzindo…
The primary mitigation for CVE-2026-33308 is to upgrade mod_gnutls to version 0.13.0 or later. If an immediate upgrade is not feasible due to compatibility issues, consider temporarily disabling TLS client authentication (GnuTLSClientVerify ignore) as a workaround, though this significantly reduces security. Review your Apache configuration to ensure client certificate verification is only enabled where absolutely necessary. After upgrading, verify the fix by attempting to authenticate with a certificate having an incorrect key purpose; authentication should fail.
Como corrigirtraduzindo…
Actualice mod_gnutls a la versión 0.13.0 o superior. Esta versión corrige la verificación del propósito de la clave en la verificación del certificado del cliente. Si no es posible actualizar, revise la configuración de GnuTLSClientKeyPurpose para asegurar que el propósito de la clave sea el esperado.
Boletim de Segurança CVE
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
Perguntas frequentestraduzindo…
What is CVE-2026-33308 — TLS Verification Bypass in mod_gnutls?
CVE-2026-33308 is a medium-severity vulnerability in mod_gnutls (≤ 0.13.0) that allows attackers to bypass TLS client authentication by exploiting improper certificate key purpose checks.
Am I affected by CVE-2026-33308 in mod_gnutls?
You are affected if you are running Apache HTTPD with mod_gnutls version 0.13.0 or earlier and have TLS client authentication enabled. Servers without client certificate verification are not affected.
How do I fix CVE-2026-33308 in mod_gnutls?
Upgrade mod_gnutls to version 0.13.0 or later. As a temporary workaround, disable TLS client authentication (GnuTLSClientVerify ignore), but be aware of the security implications.
Is CVE-2026-33308 being actively exploited?
As of the last update, there are no known public exploits or active campaigns targeting CVE-2026-33308.
Where can I find the official Apache advisory for CVE-2026-33308?
Refer to the Apache Security page for the latest information and official advisories: https://httpd.apache.org/security/
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.