{"id":15312,"date":"2014-06-05T01:36:24","date_gmt":"2014-06-05T05:36:24","guid":{"rendered":"https:\/\/webhostinggeeks.com\/blog\/?p=15312"},"modified":"2021-10-19T06:51:27","modified_gmt":"2021-10-19T10:51:27","slug":"risks-from-gnutls-hello","status":"publish","type":"post","link":"https:\/\/webhostinggeeks.com\/blog\/risks-from-gnutls-hello\/","title":{"rendered":"Are Secure Servers, Applications Really at Risk from GnuTLS &#8220;Hello&#8221; Vulnerability?"},"content":{"rendered":"<p>Security experts and researchers have found a risky vulnerability in GnuTLS, a secure communications library for SSL, TLS and DTLS protocols and associated technologies, which has experts frantically urging users to update GnuTLS.\u00a0According to a\u00a0<a href=\"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=1101932\" target=\"_blank\" rel=\"noopener\">bug description<\/a>, posted by Bugzilla\u00a0Red Hat, \u201ca flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS\/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS\/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code.<em>\u201d<\/em><\/p>\n<p><!--more--><\/p>\n<p><a href=\"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=1101932\"><img decoding=\"async\" class=\"alignnone size-full wp-image-15324 lazyload\" alt=\"redhat\" data-src=\"https:\/\/webhostinggeeks.com\/blog\/wp-content\/uploads\/2014\/06\/redhat.jpg\" width=\"650\" height=\"828\" data-srcset=\"https:\/\/webhostinggeeks.com\/blog\/wp-content\/uploads\/2014\/06\/redhat.jpg 650w, https:\/\/webhostinggeeks.com\/blog\/wp-content\/uploads\/2014\/06\/redhat-128x163.jpg 128w, https:\/\/webhostinggeeks.com\/blog\/wp-content\/uploads\/2014\/06\/redhat-420x535.jpg 420w, https:\/\/webhostinggeeks.com\/blog\/wp-content\/uploads\/2014\/06\/redhat-540x688.jpg 540w, https:\/\/webhostinggeeks.com\/blog\/wp-content\/uploads\/2014\/06\/redhat-565x720.jpg 565w, https:\/\/webhostinggeeks.com\/blog\/wp-content\/uploads\/2014\/06\/redhat-372x474.jpg 372w, https:\/\/webhostinggeeks.com\/blog\/wp-content\/uploads\/2014\/06\/redhat-328x418.jpg 328w\" data-sizes=\"(max-width: 650px) 100vw, 650px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 650px; --smush-placeholder-aspect-ratio: 650\/828;\" \/><\/a><\/p>\n<p>The flaw in question, according to <a href=\"https:\/\/www.webhostingtalk.com\/\" target=\"_blank\" rel=\"noopener\">thewhir.com<\/a>,\u00a0&#8220;was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS\/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS\/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code.\u201d<\/p>\n<p>In\u00a0<a href=\"https:\/\/radareorg.github.io\/blog\/technical-analysis-of-the-gnutls-hello-vulnerability\/\" target=\"_blank\" rel=\"noopener\">a blog post<\/a> from radare, a company that creates reverse engineering frameworks, it showed that its r2 software could be used to exploit the GnuTLS vulnerability. radare&#8217;s recommendtion is to \u00a0update GnuTLS to version 3.1.25, 3.2.15 or 3.3.4.<\/p>\n<p style=\"padding-left: 30px\">&#8220;In order to test that vulnerability I choose to run a 32bit\u00a0<a href=\"http:\/\/voidlinux.eu\/\">VoidLinux<\/a>\u00a0Virtualbox VM, fetched the r2 source from git, and executed the GnuTLS binaries against the system libs. This way, switching between the fixed and vulnerable executions can be done by changing the\u00a0<code>LD_LIBRARY_PATH<\/code>\u00a0environment.&#8221;<\/p>\n<p style=\"padding-left: 30px\">&#8220;It&#8217;s recommended to use r2 from git: read\u00a0<a href=\"https:\/\/radareorg.github.io\/blog\/getting-the-latest-radare2\">this<\/a>\u00a0post to install r2 in your system.&#8221;<\/p>\n<p style=\"padding-left: 30px\">&#8220;A quick check on all the packages that depend on GnuTLS shows some hints of which client software is vulnerable to this issue.&#8221;<\/p>\n<p><a href=\"https:\/\/radareorg.github.io\/blog\/technical-analysis-of-the-gnutls-hello-vulnerability\/\"><img decoding=\"async\" class=\"alignnone size-full wp-image-15323 lazyload\" alt=\"radare\" data-src=\"https:\/\/webhostinggeeks.com\/blog\/wp-content\/uploads\/2014\/06\/radare.jpg\" width=\"650\" height=\"634\" data-srcset=\"https:\/\/webhostinggeeks.com\/blog\/wp-content\/uploads\/2014\/06\/radare.jpg 650w, https:\/\/webhostinggeeks.com\/blog\/wp-content\/uploads\/2014\/06\/radare-128x125.jpg 128w, https:\/\/webhostinggeeks.com\/blog\/wp-content\/uploads\/2014\/06\/radare-420x410.jpg 420w, https:\/\/webhostinggeeks.com\/blog\/wp-content\/uploads\/2014\/06\/radare-540x527.jpg 540w, https:\/\/webhostinggeeks.com\/blog\/wp-content\/uploads\/2014\/06\/radare-372x363.jpg 372w, https:\/\/webhostinggeeks.com\/blog\/wp-content\/uploads\/2014\/06\/radare-328x320.jpg 328w\" data-sizes=\"(max-width: 650px) 100vw, 650px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 650px; --smush-placeholder-aspect-ratio: 650\/634;\" \/><\/a><\/p>\n<p style=\"padding-left: 30px\">&#8220;GnuTLS credits Joonas Kuorilehto of Codenomicon as the individual who originally discovered the vulnerability. Codenomicon employees were among those that found\u00a0<a href=\"https:\/\/www.webhostingtalk.com\/\" target=\"_blank\" rel=\"noopener\">the Heartbleed bug<\/a>, a recent and devastating vulnerability in OpenSSL that presented risks for many high-profile sites, causing millions to change their web account passwords.&#8221;<\/p>\n<p style=\"padding-left: 30px\">&#8220;GnuTLS is an open-source transport-layer security library similar to OpenSSL, but less popular. Yet it is still widely used. It is shipped by default in Red Hat, Ubuntu and Debian, and more than 200 Linux software packages depend on it for SSL\/TLS.&#8221;<\/p>\n<p style=\"padding-left: 30px\">&#8220;With the OpenSSL vulnerability in recent memory, administrators will want to take a similar level of diligence to ensure that GnuTLS doesn\u2019t provide a way for hackers to interfere with their servers and applications.&#8221;<\/p>\n<p>The GnuTLS chief developer and Red Hat engineer, Nikos Mavrogiannopoulos, released updates for the library that fixed the problems with GnuTLS versions\u00a0<a href=\"https:\/\/lists.gnupg.org\/pipermail\/gnutls-devel\/2014-May\/006944.html\" target=\"_blank\" rel=\"noopener\">3.1.25<\/a>,\u00a0<a href=\"https:\/\/lists.gnupg.org\/pipermail\/gnutls-devel\/2014-May\/006945.html\" target=\"_blank\" rel=\"noopener\">3.2.15<\/a>, and\u00a0<a href=\"https:\/\/lists.gnupg.org\/pipermail\/gnutls-devel\/2014-May\/006946.html\" target=\"_blank\" rel=\"noopener\">3.3.3<\/a>.<\/p>\n<p>ZDNet writer, Liam Tung, speaking on this bug, <a href=\"https:\/\/www.zdnet.com\/article\/another-serious-gnutls-bug-exposes-linux-clients-to-server-attacks\/\" target=\"_blank\" rel=\"noopener\">relays<\/a> that &#8220;while it&#8217;s thought the library is used by around 200 operating systems and applications, arguably many of them were\u00a0not likely targets for a man-in-the-middle attack.&#8221;<\/p>\n<p>This is not the first time ZDNet has mentioned the bugs in GnuTLS. In a March 6th <a href=\"https:\/\/www.zdnet.com\/article\/gnutls-big-internal-bugs-few-real-world-problems\/\" target=\"_blank\" rel=\"noopener\">article<\/a> from earlier this year, Steven J. Vaughan-Nichols wrote:<\/p>\n<p style=\"padding-left: 30px\">&#8220;According to some reports you&#8217;d think the security sky was falling. Yes,\u00a0<a href=\"https:\/\/www.gnutls.org\/\">GnuTLS<\/a>, an open-source &#8220;secure&#8221; communications library that implements \\Secure-Socket Layer (SSL) and Transport Layer Security (TLS), has serious flaws. The good news? Almost no one uses it.\u00a0<a href=\"https:\/\/www.openssl.org\/\">OpenSSL<\/a>\u00a0has long been everyone&#8217;s favorite open-source security library of choice.&#8221;<\/p>\n<p style=\"padding-left: 30px\"><a href=\"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=1069865\">Red Hat discovered the latest in a long-series of GnuTLS bugs<\/a>.<\/p>\n<p style=\"padding-left: 30px\">&#8220;Latest? Yes, latest.&#8221;<\/p>\n<p style=\"padding-left: 30px\">&#8220;You see, GnuTLS has long been regarded as being a poor SSL\/TLS security library. A 2008 message on the OpenLDAP mailing list had &#8220;<a href=\"https:\/\/www.openldap.org\/lists\/openldap-devel\/200802\/msg00072.html\">GnuTLS considered harmful<\/a>&#8221; as its subject \u2014 which summed it up nicely.&#8221;<\/p>\n<p>At the end of his article, he looks to kill the issues:<\/p>\n<p style=\"padding-left: 30px\">&#8220;No one should be using GnuTLS. There are far better security programs out there starting with the far more popular OpenSSL. If for some reason you must use GnuTLS for now, either\u00a0upgrade to the latest GnuTLS version (3.2.12)\u00a0or\u00a0<a href=\"https:\/\/www.gitorious.org\/gnutls\/gnutls\/commit\/6aa26f78150ccbdf0aec1878a41c17c41d358a3b\">apply the GnuTLS 2.12.x patch<\/a>. Oh, and developers? Start weaning your programs from GnuTLS, you, and your users, will be glad you did.&#8221;<\/p>\n<p>Vaughan-Nichols&#8217; news from two months ago begs the question, was the bug worse than first thought? Was the problem ignored? Is it really as bad as people have said or did the Heartbleed bug scare the hell out of security experts and programmers, getting faster action on GnuTLS? Is it another case of the sky is falling but no one really wants to be the one to look up and see? Whatever the answer, is there really any bug that can be ignored?<\/p>\n<p>Top image \u00a9GL Stock Images<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security experts and researchers have found a risky vulnerability in GnuTLS, a secure communications library for SSL, TLS and DTLS protocols and associated technologies, which has experts frantically urging users&#8230;<\/p>\n","protected":false},"author":13,"featured_media":15330,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"wds_primary_category":0,"footnotes":""},"categories":[9,11],"tags":[7193,7196,7192,7194,26,102,110],"class_list":["post-15312","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-issues","category-web-hosting-news","tag-bugs","tag-bugzilla","tag-gnutls","tag-programming","tag-redhat","tag-security","tag-ssl"],"views":157,"_links":{"self":[{"href":"https:\/\/webhostinggeeks.com\/blog\/wp-json\/wp\/v2\/posts\/15312","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/webhostinggeeks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/webhostinggeeks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/webhostinggeeks.com\/blog\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/webhostinggeeks.com\/blog\/wp-json\/wp\/v2\/comments?post=15312"}],"version-history":[{"count":0,"href":"https:\/\/webhostinggeeks.com\/blog\/wp-json\/wp\/v2\/posts\/15312\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/webhostinggeeks.com\/blog\/wp-json\/wp\/v2\/media\/15330"}],"wp:attachment":[{"href":"https:\/\/webhostinggeeks.com\/blog\/wp-json\/wp\/v2\/media?parent=15312"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/webhostinggeeks.com\/blog\/wp-json\/wp\/v2\/categories?post=15312"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/webhostinggeeks.com\/blog\/wp-json\/wp\/v2\/tags?post=15312"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}