GnuTLS Bug Leaves Linux-Speaking Internet Open to Eavesdropping
A newly discovered vulnerability in the Gnu implementation of TLS is threatening the privacy of users running major distributions of Linux. The bug resides in the GnuTLS implementation and can be used to facilitate a man-in-the-middle attack and decrypt web traffic, according to GnuTLS’s security advisory.
“It was discovered that GnuTLS X.509 certificate verification code failed to properly handle certain errors that can occur during the certificate verification,” Tomas Hoger told Red Hat’s bug report. “When such errors are encountered, GnuTLS would report successful verification of the certificate, even though verification should end with failure.”
Even if it was not verified by a Certificate Authority, an attacker with a “specially-crafted” certificate can be accepted by the GnuTLS, thus leaving a big gap for a man-in-the-middle attack against software using GnuTLS.
The impact could be catastrophic. The TLS/SSL protocol is used today by millions of services worldwide to create a secure connection to a web service. Most servers run a Linux distro such as Red Hat, Ubuntu, or Debian, to mention only a few of the vulnerable operating systems.
Internet-grade encryption has been in the crosshairs lately, as the GnuTLS implementation fault follows right after Apple’s massive GOTO fail we wrote about earlier this week.
Users running operating systems with vulnerable implementations of the GnuTLS are advised to update the software to the latest version (3.2.12) or apply the GnuTLS 2.12.x. patch.