Are Secure Servers, Applications Really at Risk from GnuTLS “Hello” Vulnerability?

bug virus

Security experts and researchers have found a risky vulnerability in GnuTLS, a secure communications library for SSL, TLS and DTLS protocols and associated technologies, which has experts frantically urging users to update GnuTLS. According to a bug description, posted by Bugzilla Red Hat, “a flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code.

redhat

The flaw in question, according to thewhir.com, “was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code.”

In a blog post from radare, a company that creates reverse engineering frameworks, it showed that its r2 software could be used to exploit the GnuTLS vulnerability. radare’s recommendtion is to  update GnuTLS to version 3.1.25, 3.2.15 or 3.3.4.

ALSO READ:  Simple, Effective Security Tips for End Users

“In order to test that vulnerability I choose to run a 32bit VoidLinux Virtualbox VM, fetched the r2 source from git, and executed the GnuTLS binaries against the system libs. This way, switching between the fixed and vulnerable executions can be done by changing the LD_LIBRARY_PATH environment.”

“It’s recommended to use r2 from git: read this post to install r2 in your system.”

“A quick check on all the packages that depend on GnuTLS shows some hints of which client software is vulnerable to this issue.”

radare

“GnuTLS credits Joonas Kuorilehto of Codenomicon as the individual who originally discovered the vulnerability. Codenomicon employees were among those that found the Heartbleed bug, a recent and devastating vulnerability in OpenSSL that presented risks for many high-profile sites, causing millions to change their web account passwords.”

“GnuTLS is an open-source transport-layer security library similar to OpenSSL, but less popular. Yet it is still widely used. It is shipped by default in Red Hat, Ubuntu and Debian, and more than 200 Linux software packages depend on it for SSL/TLS.”

“With the OpenSSL vulnerability in recent memory, administrators will want to take a similar level of diligence to ensure that GnuTLS doesn’t provide a way for hackers to interfere with their servers and applications.”

ALSO READ:  Web Hosting For Online Businesses – Dedicated vs. eCommerce

The GnuTLS chief developer and Red Hat engineer, Nikos Mavrogiannopoulos, released updates for the library that fixed the problems with GnuTLS versions 3.1.253.2.15, and 3.3.3.

ZDNet writer, Liam Tung, speaking on this bug, relays that “while it’s thought the library is used by around 200 operating systems and applications, arguably many of them were not likely targets for a man-in-the-middle attack.”

This is not the first time ZDNet has mentioned the bugs in GnuTLS. In a March 6th article from earlier this year, Steven J. Vaughan-Nichols wrote:

“According to some reports you’d think the security sky was falling. Yes, GnuTLS, an open-source “secure” communications library that implements \Secure-Socket Layer (SSL) and Transport Layer Security (TLS), has serious flaws. The good news? Almost no one uses it. OpenSSL has long been everyone’s favorite open-source security library of choice.”

Red Hat discovered the latest in a long-series of GnuTLS bugs.

“Latest? Yes, latest.”

“You see, GnuTLS has long been regarded as being a poor SSL/TLS security library. A 2008 message on the OpenLDAP mailing list had “GnuTLS considered harmful” as its subject — which summed it up nicely.”

ALSO READ:  Will Web Hosting Companies Ever Be a Target of Cyber Attack?

At the end of his article, he looks to kill the issues:

“No one should be using GnuTLS. There are far better security programs out there starting with the far more popular OpenSSL. If for some reason you must use GnuTLS for now, either upgrade to the latest GnuTLS version (3.2.12) or apply the GnuTLS 2.12.x patch. Oh, and developers? Start weaning your programs from GnuTLS, you, and your users, will be glad you did.”

Vaughan-Nichols’ news from two months ago begs the question, was the bug worse than first thought? Was the problem ignored? Is it really as bad as people have said or did the Heartbleed bug scare the hell out of security experts and programmers, getting faster action on GnuTLS? Is it another case of the sky is falling but no one really wants to be the one to look up and see? Whatever the answer, is there really any bug that can be ignored?

Top image ©GL Stock Images

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

5 thoughts on “Are Secure Servers, Applications Really at Risk from GnuTLS “Hello” Vulnerability?