Another serious GnuTLS bug exposes Linux clients to server attacks

Another serious GnuTLS bug exposes Linux clients to server attacks

Summary: More troubles emerge for open source secure communications tools with a new flaw affecting the GnuTLS library.

TOPICS: Servers, Linux, Security

Linux PCs running Ubuntu, Debian, and RedHat and an unknown number of applications are at risk again after researchers discovered a critical flaw in the GnuTLS secure communications library.

The flaw, discovered by Joonas Kuorilehto of Codenomicon — the company that discovered the recent OpenSSL Heartbleed bug — allows a malicious server to crash or execute arbitrary code on a client machine running GnuTLS.

Similar to OpenSSL, the GnuTLS library implements secure sockets layer (SSL) and transport layer security (TLS) protocols on PCs, servers, and applications to provide encrypted communications over insecure channels.

The open source software was in the spotlight this March after an audit by Red Hat discovered a vulnerability that allowed an attacker to trick GnuTLS into accepting a bogus SSL certificate, exposing applications and several Linux distributions to impersonation attacks.

While it's thought the library is used by around 200 operating systems and applications, arguably many of them were not likely targets for a man-in-the-middle attack

According to RedHat, which issued an advisory for the latest bug on Saturday, GnuTLS runs an insufficient check on the session ID length during the TLS/SSL handshake between a client and server.

"A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code," the company wrote.

"The flaw is in read_server_hello() / _gnutls_read_server_hello(), where session_id_len is checked to not exceed incoming packet size, but not checked to ensure it does not exceed maximum session id length."

GnuTLS chief developer and Red Hat engineer Nikos Mavrogiannopoulos released updates for the library on Saturday that fix the flaws in GnuTLS versions 3.1.25, 3.2.15, and 3.3.3. However, it appears the bug was discovered at least two weeks ago, with a fix first showing up in the GnuTLS repository on 23 May.

According to RedHat, the Fedora project is affected as well as Extra Packages for Enterprise Linux (EPEL) version 5.

A more detailed analysis by Radare.Today suggests the bug is likely exploitable. The company that Ubuntu and Debian distributions are also affected by the bug.

Read more on Linux

Topics: Servers, Linux, Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Another serious GnuTLS bug exposes Linux clients to server attacks

    Two very serious security issues with linux. Linux has more holes than swiss cheese. Its time to pull support for linux and let the project disband. I'll be calling up clients asking them to shut down any linux boxes they are running because we simply cannot take this kind of risk.
    • Yes Dear

    • Consider this, Mr. Davidson

      If your clients are running Linux on their systems, then they are, effectively, giving you the middle finger.

      P.S. Did U miss that this most recent GnuTLS vulnerability was not discovered by either Coverity or Red Hat's GnuTLS code audit?
      Rabid Howler Monkey
    • The Bug Isn't in Linux

      The bug is in software that runs on Linux. Your statement is like saying people should stop using Windows due to vulnerabilities in Flash. (GnuTLS also runs on *BSD and Windows.)
      • Lovely

        Whenever there's a problem involving Linux, we learn that Linux distros such as "Ubuntu, Debian, and RedHat" aren't Linux ... that Linux is the kernel ...

        Since the Linux Journal (for one) refers to "Ubuntu, Debian, and RedHat" as Linux distros (actually, they are all GNU/Linux distros) and since they all default with the GnuTLS library because of its FOSS license, this bug *is* a GNU/Linux problem.

        As for Windows and Adobe Flash Player vulnerabilities, your statement makes some sense for Windows 7 and earlier. Windows 8, however, includes Adobe Flash Player (for Internet Explorer), by default, and it is enabled, by default. Here's a link to a CLI registry hack which one has to use to remove the default Flash Player from Windows 8:

        We all know how much average Windows users love registry hacks and the CLI.

        On Debian or Ubuntu, one can indeed remove the GNuTLS library package, along with a whole host of additional packages (it's called dependencies) with apt. With Ubuntu 12.04, as an example, removing the GnuTLS library package will take a total of 46 packages, including apt-transport-https, apt-daemon, apturl and kerneloops-daemon, with it. Make no mistake, removing the GNuTLS library from Debian or Ubuntu constitutes 'major surgery' ... nothing like uninstalling Flash Player.
        Rabid Howler Monkey
    • You never cease to amaze me

      You have absolutely no idea what you are talking about yet you persist in forcing your ignorance on the rest of us. If you want to comment on Linux then take a few days and actually use it since it is painfully obvious that you have never done anything with it and as a result have no right to express your opinions here or anywhere else when it comes Linux.
    • Great joke, LD!

      It's good to see that you're writing new material! We need you here as the resident forum clown.
    • So, I guess you already called your clients

      and told them to shut down their Windows boxes, because you can't risk losing all your financial data to Game Over Zeus?

      Oh, that's right, with you, MS always gets a pass. About 1.2M of them, so far.
    • 20+ thousand security holes in windows..

      clearly worse historically than Linux by a massive margin.

      Hell, IE is built into windows and several goverments around the world have suggested people stop using it to protect themselves in the last 5 years. in fact I think it's happened several times now that governments and security experts have suggested people get off IE. Lets not get started on CodeRed or Nimda and that not that long ago, plugging a new windows machine into the internet would see it infected with "real" self propagating malware within 20 minutes without anyone even using it.

      Geeze some of you guys have really poor or incredibly selective memories.. No operating system has had as many security flaws as Windows.. NOT ONE. and before you give me the whole "but look how long windows has been around" argument.. I'll point out that Unix and it's variants have been around much much longer.
  • Very Impressed.... the speed of these fixes. Makes me more than comfortable running GNU compared to others we could mention...
  • GnuTLS bug

    “Regardless of whether you use Linux on a server or on a workstation, it's very important to always keep your system updated by routinely applying relevant security errata. All software contains bugs that must be patched on a routine basis -- whether you use proprietary platforms, or a free software distribution based on Linux. Failing to do so will leave you vulnerable to attacks.” -Konstantin Ryabitsev

    Users should update the latest GnuTLS versions (3.1.25, 3.2.15 or 3.3.4).
  • I am not going as far as Loverock

    But the reality is, Linux is not the most secure OS and the Open Source community needs to stop beating that drum. Stop using the Linux is more secure than Windows line. Just as the year of desktop Linux never came, its a similar case with security, Linux has never been secure in the sense that it can never be flawed. That is impression the community likes to give like it was designed with Security in mind, just like how Apple always claims ease of use because it was the first mainstream GUI OS. Linux only security trait is obscurity, less than 2% of systems run it.
    • I have to disagree

      Back in the 90's, when clicking 'Cancel' at a Windows Login screen, logged you in as administrator with no password, Linux already had SELinux (Secure Linux), a process that watches other processes for banned behavior.

      It also had: strong password enforcing, multi-layer authentication, encrypted network communications, device driver signatures, and much more. MS has since copied all these all these security measures.

      Security by obscurity is a myth. Linux servers are used by banks, stock exchanges, investment firms, DOD, and militaries around the world.

      Let me ask this: If you were criminally minded and wanted to steal lots of money, would you break into 15M houses looking for piggy banks, or would you look at robbing a bank?

      So, why do hackers keep hacking millions of Windows PCs instead of hacking Linux servers? Maybe because it's so much easier?

      Linux security is not a myth.

      Is Linux immune to human failures? No, of course not. Has Linux been programmed with security in mind since its beginning, absolutely.
    • rubbish

      There is no security by obscurity.. it's open source. half the time these GNU Linux bugs are found by reading the source code as opposed to hacking on the software the old school windows way.. and yet even with the source code hidden Microsoft still has a truly massive security flaw heritage.. you might be too young to remember it, but those of us that worked in the industry back then used to call Windows/IE/IIS/Outlook Express the "microsoft virus transport system" because they were constantly being owned..

      Even now, case in point, on Linux I replace any package without a reboot (even the kernel using kexec or ksplice).. but on windows, nearly every update to anything core requires a reboot.. my work windows PC has a permanent "windows needs to restart" reminder in the corner because I have 50 files open for coding and 40 browser tabs and emails and other stuff.. and restarting is a pain.. so I install the updates, but try to postpone so I am not constantly restarting. My linux boxes only need restarting if the kernel is updated, and on RHEL, that doesn't happen very often. This is something compromising MS security every day.. people postponing reboots because there are so damn many of them.

      last time I checked it was only a month ago that the web browser integrated with Windows had several of the worlds governments and security folks warning people to not use IE if you want to protect yourself.

      No doubt, Microsoft are way way better than they were, but that is at least partly because they were so very very bad at securing their systems for so very long.

      I've been supporting windows users since windows 3 and a user since the days of DOS 3 and DRDOS. I remember even if you don't.
  • Patch Wednesday?

    Fixes released on Saturday, I got mine today. Hey...I didn't have wait a month or more! Sweet! And it's not even Tuesday! That, Lovey, is the power of linux. Don't go away mad, we love your comic relief rants. :D
    BobK Linux Noob