Goto Apple: GnuTLS falls foul of SSL certificate verification issues

Summary:An audit conducted by Red Hat has turned up an SSL certificate verification vulnerability in all versions of GnuTLS.

Any version of a widely installed security library has been found to be vulnerable to specially crafted certificates that would allow a man-in-the-middle attack against applications using GnuTLS.

Found in an audit conducted by Red Hat, GnuTLS failed to properly handle "certain errors" encountered during SSL certificate verification, and would report successful verification of the SSL certificate when it should have ended in failure. The library would accept "specially crafted" certificates, even if they were not issued from a trusted certificate authority.

"A vulnerability was discovered that affects the certificate verification functions of all GnuTLS versions," a security advisory on the GnuTLS site states. "A specially crafted certificate could bypass certificate validation checks."

As the issue affects all version of the library, the only recourse is to update to versions 3.2.12 or 3.1.22 of the library, or apply a patch for the 2.x GnuTLS branch.

The error in GnuTLS is similar to the goto fail SSL certificate handling issue that Apple patched in its iOS and, eventually, OS X operating systems last week.

In the days between the iOS and OS X updates, security researchers were able to show that it was possible to build a man-in-the-middle attack to capture all SSL traffic from a vulnerable Apple device.

In both cases, incorrect goto calls have been the root cause of the security issues.

Topics: Security, Apple


Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.