/>
X
Innovation

Goto Apple: GnuTLS falls foul of SSL certificate verification issues

An audit conducted by Red Hat has turned up an SSL certificate verification vulnerability in all versions of GnuTLS.
chrisduckett-mk3.png
Written by Chris Duckett on

Any version of a widely installed security library has been found to be vulnerable to specially crafted certificates that would allow a man-in-the-middle attack against applications using GnuTLS.

Found in an audit conducted by Red Hat, GnuTLS failed to properly handle "certain errors" encountered during SSL certificate verification, and would report successful verification of the SSL certificate when it should have ended in failure. The library would accept "specially crafted" certificates, even if they were not issued from a trusted certificate authority.

"A vulnerability was discovered that affects the certificate verification functions of all GnuTLS versions," a security advisory on the GnuTLS site states. "A specially crafted certificate could bypass certificate validation checks."

As the issue affects all version of the library, the only recourse is to update to versions 3.2.12 or 3.1.22 of the library, or apply a patch for the 2.x GnuTLS branch.

The error in GnuTLS is similar to the goto fail SSL certificate handling issue that Apple patched in its iOS and, eventually, OS X operating systems last week.

In the days between the iOS and OS X updates, security researchers were able to show that it was possible to build a man-in-the-middle attack to capture all SSL traffic from a vulnerable Apple device.

In both cases, incorrect goto calls have been the root cause of the security issues.

Editorial standards

Related

How to use your phone to diagnose your car's 'check engine' light
BlueDriver Bluetooth dongle

How to use your phone to diagnose your car's 'check engine' light

How to access your iPhone's camera faster with this hidden feature
iphone-13-pro-max-cameras.jpg

How to access your iPhone's camera faster with this hidden feature

Google Play malware: If you've downloaded these malicious apps, delete them immediately
a-man-sitting-in-his-living-room-looking-at-his-smartphone-with-concern

Google Play malware: If you've downloaded these malicious apps, delete them immediately