Are Secure Servers, Applications Really at Risk from GnuTLS “Hello” Vulnerability?
Security experts and researchers have found a risky vulnerability in GnuTLS, a secure communications library for SSL, TLS and DTLS protocols and associated technologies, which has experts frantically urging users to update GnuTLS. According to a bug description, posted by Bugzilla Red Hat, “a flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code.”
The flaw in question, according to thewhir.com, “was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code.”
In a blog post from radare, a company that creates reverse engineering frameworks, it showed that its r2 software could be used to exploit the GnuTLS vulnerability. radare’s recommendtion is to update GnuTLS to version 3.1.25, 3.2.15 or 3.3.4.
RELATED: Keeping Your Website Free of Malicious Scripts
“In order to test that vulnerability I choose to run a 32bit VoidLinux Virtualbox VM, fetched the r2 source from git, and executed the GnuTLS binaries against the system libs. This way, switching between the fixed and vulnerable executions can be done by changing the LD_LIBRARY_PATH
environment.”
“It’s recommended to use r2 from git: read this post to install r2 in your system.”
“A quick check on all the packages that depend on GnuTLS shows some hints of which client software is vulnerable to this issue.”
“GnuTLS credits Joonas Kuorilehto of Codenomicon as the individual who originally discovered the vulnerability. Codenomicon employees were among those that found the Heartbleed bug, a recent and devastating vulnerability in OpenSSL that presented risks for many high-profile sites, causing millions to change their web account passwords.”
“GnuTLS is an open-source transport-layer security library similar to OpenSSL, but less popular. Yet it is still widely used. It is shipped by default in Red Hat, Ubuntu and Debian, and more than 200 Linux software packages depend on it for SSL/TLS.”
“With the OpenSSL vulnerability in recent memory, administrators will want to take a similar level of diligence to ensure that GnuTLS doesn’t provide a way for hackers to interfere with their servers and applications.”
RELATED: A Dark Cloud: Anonymity and Privacy Fall Further Before a Cloud Computing Experiment
The GnuTLS chief developer and Red Hat engineer, Nikos Mavrogiannopoulos, released updates for the library that fixed the problems with GnuTLS versions 3.1.25, 3.2.15, and 3.3.3.
ZDNet writer, Liam Tung, speaking on this bug, relays that “while it’s thought the library is used by around 200 operating systems and applications, arguably many of them were not likely targets for a man-in-the-middle attack.”
This is not the first time ZDNet has mentioned the bugs in GnuTLS. In a March 6th article from earlier this year, Steven J. Vaughan-Nichols wrote:
“According to some reports you’d think the security sky was falling. Yes, GnuTLS, an open-source “secure” communications library that implements Secure-Socket Layer (SSL) and Transport Layer Security (TLS), has serious flaws. The good news? Almost no one uses it. OpenSSL has long been everyone’s favorite open-source security library of choice.”
Red Hat discovered the latest in a long-series of GnuTLS bugs.
“Latest? Yes, latest.”
“You see, GnuTLS has long been regarded as being a poor SSL/TLS security library. A 2008 message on the OpenLDAP mailing list had “GnuTLS considered harmful” as its subject — which summed it up nicely.”
RELATED: Avira Antivirus Features
At the end of his article, he looks to kill the issues:
“No one should be using GnuTLS. There are far better security programs out there starting with the far more popular OpenSSL. If for some reason you must use GnuTLS for now, either upgrade to the latest GnuTLS version (3.2.12) or apply the GnuTLS 2.12.x patch. Oh, and developers? Start weaning your programs from GnuTLS, you, and your users, will be glad you did.”
Vaughan-Nichols’ news from two months ago begs the question, was the bug worse than first thought? Was the problem ignored? Is it really as bad as people have said or did the Heartbleed bug scare the hell out of security experts and programmers, getting faster action on GnuTLS? Is it another case of the sky is falling but no one really wants to be the one to look up and see? Whatever the answer, is there really any bug that can be ignored?
Top image ©GL Stock Images