Another serious GnuTLS bug exposes Linux clients to server attacks
Linux PCs running Ubuntu, Debian, and RedHat and an unknown number of applications are at risk again after researchers discovered a critical flaw in the GnuTLS secure communications library.
Tech Pro Research
The flaw, discovered by Joonas Kuorilehto of Codenomicon — the company that discovered the recent OpenSSL Heartbleed bug — allows a malicious server to crash or execute arbitrary code on a client machine running GnuTLS.
Similar to OpenSSL, the GnuTLS library implements secure sockets layer (SSL) and transport layer security (TLS) protocols on PCs, servers, and applications to provide encrypted communications over insecure channels.
The open source software was in the spotlight this March after an audit by Red Hat discovered a vulnerability that allowed an attacker to trick GnuTLS into accepting a bogus SSL certificate, exposing applications and several Linux distributions to impersonation attacks.
While it's thought the library is used by around 200 operating systems and applications, arguably many of them were not likely targets for a man-in-the-middle attack.
According to RedHat, which issued an advisory for the latest bug on Saturday, GnuTLS runs an insufficient check on the session ID length during the TLS/SSL handshake between a client and server.
"A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code," the company wrote.
"The flaw is in read_server_hello() / _gnutls_read_server_hello(), where session_id_len is checked to not exceed incoming packet size, but not checked to ensure it does not exceed maximum session id length."
GnuTLS chief developer and Red Hat engineer Nikos Mavrogiannopoulos released updates for the library on Saturday that fix the flaws in GnuTLS versions 3.1.25, 3.2.15, and 3.3.3. However, it appears the bug was discovered at least two weeks ago, with a fix first showing up in the GnuTLS repository on 23 May.
According to RedHat, the Fedora project is affected as well as Extra Packages for Enterprise Linux (EPEL) version 5.
A more detailed analysis by Radare.Today suggests the bug is likely exploitable. The company that Ubuntu and Debian distributions are also affected by the bug.