GnuTLS bug exposes Linux clients to server attacks

The maintainers of GnuTLS, a secure communications library used in Red Hat, Ubuntu other Linux distributions, have released fixes for a critical bug affecting the client-side of the software.

The newly discovered vulnerability could allow a malicious server to execute code at its discretion on a requesting client, GnuTLS maintainers said in advisory published on Saturday.

“This vulnerability affects the client side of the gnutls library. A server that sends a specially crafted ServerHello could corrupt the memory of a requesting client,” the developers noted.

The GnuTLS library implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, offering numerous Linux distributions and applications the tools to access secure communications. So while GnuTLS offers privacy over insecure channels, the bug means it’s possible for an attacker to crash or take control of a PC when it’s attempting to establish a secure connection with the attacker’s server.

GnuTLS chief developer and Red Hat engineer Nikos Mavrogiannopoulos released updates for the library on Saturday in the form of GnuTLS versions 3.1.25, 3.2.15, and 3.3.3.

A more comprehensive write-up on the bug by Red Hat, which rated the bug’s priority as “high severity”, indicates the flaw stems from an insufficient session_id check during the TLS/SSL handshake.

“A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code,” the company wrote.

“The flaw is in read_server_hello() / _gnutls_read_server_hello(), where session_id_len is checked to not exceed incoming packet size, but not checked to ensure it does not exceed maximum session id length.”

According to Red Hat, the bug affects all versions of Fedora and Extra Packages for Enterprise Linux (EPEL) version 5.

The flaw was initially reported by Joonas Kuorilehto of Codenomicon — the company responsible for discovering the recent OpenSSL Heartbleed bug.

The latest bug affecting Linux distributions through GnuTLS doesn’t appear to be as serious as the flaw Red Hat’s security team discovered earlier this year during an audit. While Red Hat gives them equivalent priority ratings, the earlier flaw could have allowed an attacker to dupe GnuTLS to accept a fake certificate as valid, making it possible for an attacker to monitor traffic in plain text and inject arbitrary code.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Tags LinuxGnuTLS

Show Comments