Feeds

GNU security library GnuTLS fails on cert checks: Patch now

Many eyes missed bug for many years

Build a business case: developing custom apps

The notion that open source software is more likely to be secure because anyone can look at the source code looks just a little less sound today, after a serious bug was discovered in the key GnuTLS security library, impacting hundreds of applications that use it.

According to this Red Hat advisory: “It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker.”

As a result, a certificate could be accepted as valid even though it wasn't issued by a trusted CA – for example, an attacker could merely self-sign a bogus certificate.

It's down to bad “goto cleanup” calls, similar to Apple's recent “goto fail” SSL bug. There's no causal relationship between the two: goto has been fingered as a problem in software languages ever since Edsger Dijkstra's famous “goto considered harmful” letter of 1968 (there's an annotated version of the letter here).

One commenter in this Reddit thread says the bug is nearly a decade old, having crept into the code back in 2005.

As is noted on this Hacker News thread, alternative security libraries such as OpenSSL are available and packages can be compiled against OpenSSL rather than GnuTLS. However, as a result of license incompatibilities, plenty of packages default to GnuTLS.

Red Hat has issued a patch for its users, and for everyone else, the GnuTLS team has a patch available for 2.12.x versions, or you can upgrade to version 3.2.12.

The bug was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team. ®

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?