CVE-2024-0567: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in GnuTLS (CVE-2024-0567) where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. The issue was discovered on January 16, 2024, affecting GnuTLS versions from 3.7.0 to 3.8.2. This vulnerability impacts systems using GnuTLS for certificate chain validation (GnuTLS Help, NVD).

The vulnerability occurs when validating a certificate chain with cockpit-certificate-ensure, specifically when dealing with certificate chains that have distributed trust. The issue manifests as an assertion failure in the gnutlssort_clist function when processing certificate chains with cross-signed root certificates. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (Red Hat).

When successfully exploited, this vulnerability allows an unauthenticated, remote attacker to initiate a denial of service attack. The flaw specifically impacts the certificate chain validation process, potentially disrupting services that rely on GnuTLS for certificate validation (NetApp Security).

The vulnerability has been fixed in GnuTLS version 3.8.3. Users and organizations are advised to upgrade to this version or later to address the issue. Various Linux distributions have released security updates incorporating the fix, including Red Hat Enterprise Linux and Fedora (Red Hat Advisory, Fedora Update).