/>
X

Goto Apple: GnuTLS falls foul of SSL certificate verification issues

An audit conducted by Red Hat has turned up an SSL certificate verification vulnerability in all versions of GnuTLS.
chrisduckett-mk3.png
Written by Chris Duckett on

Any version of a widely installed security library has been found to be vulnerable to specially crafted certificates that would allow a man-in-the-middle attack against applications using GnuTLS.

Found in an audit conducted by Red Hat, GnuTLS failed to properly handle "certain errors" encountered during SSL certificate verification, and would report successful verification of the SSL certificate when it should have ended in failure. The library would accept "specially crafted" certificates, even if they were not issued from a trusted certificate authority.

"A vulnerability was discovered that affects the certificate verification functions of all GnuTLS versions," a security advisory on the GnuTLS site states. "A specially crafted certificate could bypass certificate validation checks."

As the issue affects all version of the library, the only recourse is to update to versions 3.2.12 or 3.1.22 of the library, or apply a patch for the 2.x GnuTLS branch.

The error in GnuTLS is similar to the goto fail SSL certificate handling issue that Apple patched in its iOS and, eventually, OS X operating systems last week.

In the days between the iOS and OS X updates, security researchers were able to show that it was possible to build a man-in-the-middle attack to capture all SSL traffic from a vulnerable Apple device.

In both cases, incorrect goto calls have been the root cause of the security issues.

Related

Hackers are finding ways around multi-factor authentication. Here's what to watch for
a-man-looking-at-his-smartphone-while-sitting-at-a-computer-in-his-home-office

Hackers are finding ways around multi-factor authentication. Here's what to watch for

Security
How to use your phone to diagnose your car's 'check engine' light
BlueDriver Bluetooth dongle

How to use your phone to diagnose your car's 'check engine' light

Home & Office
A United Airlines pilot made a big speech to passengers. Not everyone will love it
screen-shot-2022-08-09-at-9-39-33-am.png

A United Airlines pilot made a big speech to passengers. Not everyone will love it

Business