What you need to know about the GnuTLS Linux bug

A flaw similar to Apple's 'goto fail' bug leaves many Linux variants vulnerable to man-in-the-middle attacks.

A critical Linux bug that many are comparing to the "goto fail" problem that afflicted Apple last month was recently discovered, prompting Linux distribution and application developers to scramble to incorporate a new patch into their code.

The bug, which affects the GnuTLS library for implementing the SSL, TLS and DTLS, security protocols, could cause software to falsely indicate that a particular communications connection is secure, when in fact it is not. As with the Apple flaw, that opens the door to "man-in-the-middle" exploits where an attacker could secretly intercept and manipulate the user's communication.The problem was discovered during a code audit last month. Red Hat then notified the other affected distributions, and a patch was released Monday.

"Users of Red Hat Enterprise Linux can obtain updated corrected GnuTLS packages in their usual way or see https://access.redhat.com/security/cve/CVE-2014-0092 for links to our advisories," said Mark Cox, Red Hat's senior director for product security.

Most Linux users affected

"There are hundreds of packages that use the GnuTLS encryption libraries, so virtually every Linux user is affected," warned Dave Wreski, CEO of open source security firm Guardian Digital as well as founder and lead developer at linuxsecurity.com.

In fact, the bug appears to be more than 10 years old, "so it probably affects every Linux system currently in operation that utilizes the GnuTLS library," he told me.

I contacted a few of the other major distros on Wednesday to see what steps they had taken to address the problem so far.

"Our team addressed the issue in a timely manner," Ubuntu spokesperson Sian Aherne said. "The update manager will prompt desktop users about security updates, and we recommend that people using Ubuntu ensure their systems are up to date to ensure they are not affected."

Linux distros jump to action

After noticing that Red Hat rated the issue as high severity, David Walser, who manages security updates for Mageia Linux, "immediately packaged the update, using the patch from upstream," he said. "A member of our QA team tested the update very shortly after I built it and validated the update, and our main sysadmin--who pushes updates to the mirrors--released the update."

In all, "it was approximately five hours from when we became aware of the problem till the fix was implemented, tested, and then released as a security update," added Dave Hodgins, deputy leader of Mageia's QA team.

I haven't yet heard back from Linux Mint, but it's clear that numerous other distros have issued alerts as well.

OpenSSL not affected

Clearly there is cause for some concern. At the same time, while GnuTLS implements the SSL, TLS, and DTLS protocols commonly used by applications requiring secure communications over insecure channels like the Internet, the OpenSSL library is actually much more common, and it's not affected by this vulnerability, Wreski pointed out.

"OpenSSL is responsible for the crypto functions for the vast majority of common Internet applications," including Firefox and Chrome, he said. "A quick check revealed that Firefox and Chrome are not affected by this vulnerability."

Indeed, "Mageia tends to favor OpenSSL, so we don't have very many packages linked to GnuTLS," Mageia's Walser said, adding that Claws Mail, FileZilla and Pidgin are the apps most critically affected in the distro.

For the applications that are affected, meanwhile, "it requires that an attacker create a specially crafted digital certificate that leads regular users into believing they're communicating with a trusted site, when in fact their communications are being intercepted, and possibility manipulated, by the attacker," Wreski explained.

In other words, the attack requires not only that the attacker generate a bogus certificate but also that he or she be in a position where the forged certificate can be inserted into the victim's regular communications stream.

A subtle' bug

I couldn't resist asking Wreski why the bug took so long to be found given the fact that GnuTLS is open source software, with code widely available for viewing.

"The code is extremely complicated," he explained. "Even though the code is freely available for review, only a select group of people would be qualified to accurately analyze and understand the whole system well enough to catch such a subtle bug."

It's also not the type of vulnerability that can be found by automated analysis tools, requiring manual scrutiny instead, Wreski pointed out.

"I don't doubt that, as a result of these types of vulnerabilities, code analysis and testing tools will be developed to prevent this in the future," he added.

Update, update, update

In the meantime, what should Linux users do to stay safe? Basically, the same things they always should do.

"Everyone should always apply the latest security updates to their system, and ensure they are using the latest version of their operating system available," Wreski said.

Users of current Linux distributions should contact their service provider or administrator to ensure their system is updated properly, while users of older, unsupported Linux platforms should upgrade to the latest release or disable applications that link against vulnerable software, he advised.

"Virtually all older unsupported Linux platforms have vulnerabilities that can be exploited," Wreski concluded, "and should never be connected to insecure networks."

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleLinuxsecuritysoftwareRed Hatoperating systems

More about AppleGuardian DigitalLinuxMintRed HatUbuntu

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Katherine Noyes

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place