Goto Apple: GnuTLS falls foul of SSL certificate verification issues

Any version of a widely installed security library has been found to be vulnerable to specially crafted certificates that would allow a man-in-the-middle attack against applications using GnuTLS.

Found in an audit conducted by Red Hat, GnuTLS failed to properly handle "certain errors" encountered during SSL certificate verification, and would report successful verification of the SSL certificate when it should have ended in failure. The library would accept "specially crafted" certificates, even if they were not issued from a trusted certificate authority.

"A vulnerability was discovered that affects the certificate verification functions of all GnuTLS versions," a security advisory on the GnuTLS site states. "A specially crafted certificate could bypass certificate validation checks."

As the issue affects all version of the library, the only recourse is to update to versions 3.2.12 or 3.1.22 of the library, or apply a patch for the 2.x GnuTLS branch.

The error in GnuTLS is similar to the goto fail SSL certificate handling issue that Apple patched in its iOS and, eventually, OS X operating systems last week.

In the days between the iOS and OS X updates, security researchers were able to show that it was possible to build a man-in-the-middle attack to capture all SSL traffic from a vulnerable Apple device.

In both cases, incorrect goto calls have been the root cause of the security issues.