GnuTLS bug exposes Linux clients to server attacks

The maintainers of GnuTLS, a secure communications library used in Red Hat, Ubuntu other Linux distributions, have released fixes for a critical bug affecting the client-side of the software.

The newly discovered vulnerability could allow a malicious server to execute code at its discretion on a requesting client, GnuTLS maintainers said in advisory published on Saturday.

“This vulnerability affects the client side of the gnutls library. A server that sends a specially crafted ServerHello could corrupt the memory of a requesting client,” the developers noted.

The GnuTLS library implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, offering numerous Linux distributions and applications the tools to access secure communications. So while GnuTLS offers privacy over insecure channels, the bug means it’s possible for an attacker to crash or take control of a PC when it’s attempting to establish a secure connection with the attacker’s server.

GnuTLS chief developer and Red Hat engineer Nikos Mavrogiannopoulos released updates for the library on Saturday in the form of GnuTLS versions 3.1.25, 3.2.15, and 3.3.3.

A more comprehensive write-up on the bug by Red Hat, which rated the bug’s priority as “high severity”, indicates the flaw stems from an insufficient session_id check during the TLS/SSL handshake.

“A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code,” the company wrote.

“The flaw is in read_server_hello() / _gnutls_read_server_hello(), where session_id_len is checked to not exceed incoming packet size, but not checked to ensure it does not exceed maximum session id length.”

According to Red Hat, the bug affects all versions of Fedora and Extra Packages for Enterprise Linux (EPEL) version 5.

The flaw was initially reported by Joonas Kuorilehto of Codenomicon — the company responsible for discovering the recent OpenSSL Heartbleed bug.

The latest bug affecting Linux distributions through GnuTLS doesn’t appear to be as serious as the flaw Red Hat’s security team discovered earlier this year during an audit. While Red Hat gives them equivalent priority ratings, the earlier flaw could have allowed an attacker to dupe GnuTLS to accept a fake certificate as valid, making it possible for an attacker to monitor traffic in plain text and inject arbitrary code.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Tags LinuxGnuTLS


Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

AVG Internet Security 2011 Business Edition

Ultimate protection for your small or medium-sized business

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.