Zeek test script for CVE-2020-13777

This script performs a simple test to check if a server is potentially vulnerable to CVE-2020-13777.

CVE-2020-13777 causes GnuTLS to create unencrypted session tickets. This seems to be detectable by checking gnutls sets the `key_name` to zero - for which it uses the first 16 bytes of the session-ticket. This script checks if:

  • A server sends a suspicious session ticket
  • A client resumes a connection to a server succesfully with a suspicious session ticket

Both cases indicate that a server is employing a vulnerable version of GnuTLS.

Found cases are written to notice.log. Example output:

1591660828.497706	CHhAvVGS1DHFjwGM9	::1	58800	::1	5556	-	-	-	tcp	CVE_2020_13777::CVE_2020_13777_Server	Server potentially vulnerable to CVE-2020-13777 detected	-	::1	::1	5556	-	-	Notice::ACTION_LOG	3600.000000	-	-	-	-	-
1591660837.423412	ClEkJM2Vm5giqnMf4h	::1	58802	::1	5556	-	-	-	tcp	CVE_2020_13777::CVE_2020_13777_Resumed	Server potentially vulnerable to CVE-2020-13777 detected; client resumed with suspicious session ticket	-	::1	::1	5556	-	-	Notice::ACTION_LOG	3600.000000	-	-	-	-	-

Notice are deduplicated and only logged once per default_suppression_interval (default: 1 hour) for each server.

To install via zkg, just use

zkg install 0xxon/cve-2020-0601


This script only works for TLS 1.2 (or below) connections. It will not alert on vulnerable servers that use TLS 1.3. The


This script has not been extensively tested. It works with my self-generated test-data and should find vulnerable servers. There is a chance that it will raise false positives with different server software, but this is somewhat unlikely.

Package Version :