Industry News

GnuTLS Bug Leaves Linux-Speaking Internet Open to Eavesdropping

A newly discovered vulnerability in the Gnu implementation of TLS is threatening the privacy of users running major distributions of Linux. The bug resides in the GnuTLS implementation and can be used to facilitate a man-in-the-middle attack and decrypt web traffic, according to GnuTLS’s security advisory.

GnuTLS Bug Leaves Linux-Speaking Internet Open to Eavesdropping

“It was discovered that GnuTLS X.509 certificate verification code failed to properly handle certain errors that can occur during the certificate verification,” Tomas Hoger told Red Hat’s bug report. “When such errors are encountered, GnuTLS would report successful verification of the certificate, even though verification should end with failure.”

Even if it was not verified by a Certificate Authority, an attacker with a “specially-crafted” certificate can be accepted by the GnuTLS, thus leaving a big gap for a man-in-the-middle attack against software using GnuTLS.

The impact could be catastrophic. The TLS/SSL protocol is used today by millions of services worldwide to create a secure connection to a web service. Most servers run a Linux distro such as Red Hat, Ubuntu, or Debian, to mention only a few of the vulnerable operating systems.

Internet-grade encryption has been in the crosshairs lately, as the GnuTLS implementation fault follows right after Apple’s massive GOTO fail we wrote about earlier this week.

Users running operating systems with vulnerable implementations of the GnuTLS are advised to update the software to the latest version (3.2.12) or apply the GnuTLS 2.12.x. patch.

About the author

Lucian Ciolacu

Still the youngest Bitdefender News writer, Lucian is constantly after flash news in the security industry, especially when something is vulnerable or exploited. Besides digging for 'hacker' scoops and data leaks, he enjoys sports, such as football and tennis.
He has also combined an interest for social and political sciences, as a graduate of the Political Science Faculty, with a passion for guitar and computer games.