The Inquirer-Home

Linux hit by GnuTLS exploit, follows Heartbleed model

Beware the overly-long handshake
Wed Jun 04 2014, 16:46

Linux penguinLINUX DISTRIBUTIONS are being warned to patch the latest serious bug in its code that is used to secure internet communications.

The exploit in the GnuTLS library affects encryption of communications on systems running Debian, Red Hat and any number of derivative Linux distributions.

Codenomicon, the company responsible for discovering the Heartbleed bug, discovered the vulnerability, which, like Heartbleed, targets the implementation of secure socket layer (SSL) and transport layer security (TLS) encryption, such as that used for sending email and internet banking.

Red Hat, which has now issued a patch for the problem, said on Saturday, "A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code."

GnuTLS has already been patched this year, after it was discovered that it didn't always recognise fake security certificates, passing them as genuine.

In the wake of the Heartbleed bug, open-source SSL libary OpenSSL has received funding from the industry to ensure it is improved and maintained so this doesn't happen again.

The Truecrypt project was recently shuttered after its own vulnerabilities were found, but has since been revived.

The GnuTLS library has now been patched and implementations running GnuTLS 3.3.3, GnuTLS 3.2.15, GnuTLS 3.1.25 and above should now be safe. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015