CVE-2024-12133: 
GnuTLS vulnerability analysis and mitigation

A vulnerability in libtasn1 (CVE-2024-12133) was discovered that causes inefficient handling of specific certificate data. The flaw affects all released versions of libtasn1 prior to version 4.20.0, which was released on February 1, 2025. When processing a large number of elements in a certificate, libtasn1 takes much longer than expected, which can slow down or even crash the system (NVD, OSS Security).

The vulnerability stems from two main issues in the way libtasn1 handles DER sequences. First, although a DER sequence is conceptually an array, in libtasn1 it is represented as a linked list with string-named elements. This implementation results in a linear O(N) time complexity for element lookups. Second, when decoding a DER sequence, each step requires looking up the parent node recorded on the first element, requiring a backward linear search, resulting in O(N^2) time complexity. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (OSS Security).

The vulnerability can be exploited to cause a Denial of Service (DoS) attack. By presenting a certificate with a large number of Subject Alternative Name or name constraint entries, an attacker can cause applications using libtasn1 for certificate parsing and verification to consume excessive CPU resources, potentially leading to system slowdown or crashes (OSS Security).

The primary mitigation is to upgrade to libtasn1 version 4.20.0 or later. For applications using libtasn1 for certificate processing, it is recommended to set a limit on input sequences, such as Subject Alternative Name or name constraint entries. For those unable to modify application code, resource control mechanisms provided by the operating system, such as cgroups, can help avoid excessive CPU usage (OSS Security).