Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

What you need to know about the GnuTLS Linux bug

Katherine Noyes | March 7, 2014
A critical Linux bug that many are comparing to the "goto fail" problem that afflicted Apple last month was recently discovered, prompting Linux distribution and application developers to scramble to incorporate a new patch into their code.

"OpenSSL is responsible for the crypto functions for the vast majority of common Internet applications," including Firefox and Chrome, he said. "A quick check revealed that Firefox and Chrome are not affected by this vulnerability."

Indeed, "Mageia tends to favor OpenSSL, so we don't have very many packages linked to GnuTLS," Mageia's Walser said, adding that Claws Mail, FileZilla and Pidgin are the apps most critically affected in the distro.

For the applications that are affected, meanwhile, "it requires that an attacker create a specially crafted digital certificate that leads regular users into believing they're communicating with a trusted site, when in fact their communications are being intercepted, and possibility manipulated, by the attacker," Wreski explained.

In other words, the attack requires not only that the attacker generate a bogus certificate but also that he or she be in a position where the forged certificate can be inserted into the victim's regular communications stream.

A subtle' bug
I couldn't resist asking Wreski why the bug took so long to be found given the fact that GnuTLS is open source software, with code widely available for viewing.

"The code is extremely complicated," he explained. "Even though the code is freely available for review, only a select group of people would be qualified to accurately analyze and understand the whole system well enough to catch such a subtle bug."

It's also not the type of vulnerability that can be found by automated analysis tools, requiring manual scrutiny instead, Wreski pointed out.

"I don't doubt that, as a result of these types of vulnerabilities, code analysis and testing tools will be developed to prevent this in the future," he added.

Update, update, update

In the meantime, what should Linux users do to stay safe? Basically, the same things they always should do.

"Everyone should always apply the latest security updates to their system, and ensure they are using the latest version of their operating system available," Wreski said.

Users of current Linux distributions should contact their service provider or administrator to ensure their system is updated properly, while users of older, unsupported Linux platforms should upgrade to the latest release or disable applications that link against vulnerable software, he advised.

"Virtually all older unsupported Linux platforms have vulnerabilities that can be exploited," Wreski concluded, "and should never be connected to insecure networks."


Previous Page  1  2 

Sign up for Computerworld eNewsletters.