Security

GnuTLS Hello Vulnerability Poses Potential Risks to Secure Servers and Applications

Add Your Comments

Security researchers have found a vulnerability in GnuTLS, a secure communications library for SSL, TLS and DTLS protocols and associated technologies, which has experts urging users to update GnuTLS.

According to a bug description posted by Red Hat, “A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code.”

A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code.”

In a blog post from radare, which creates reverse engineering frameworks, it showed that its r2 software could be used to exploit the vulnerability. radare recommends updating GnuTLS to version 3.1.25, 3.2.15 or 3.3.4. There is also a patch available from Red Hat programmer Nikos Mavrogiannopoulos.

GnuTLS credits Joonas Kuorilehto of Codenomicon as the individual who originally discovered the vulnerability. Codenomicon employees were among those that found the Heartbleed bug, a devastating vulnerability in OpenSSL that presented risks for many high-profile sites.

As TechWorld’s Lucian Constantin notes, GnuTLS is an open-source transport-layer security library similar to OpenSSL, but less popular. Yet it is still widely used. It is shipped by default in Red Hat, Ubuntu and Debian, and more than 200 Linux software packages depend on it for SSL/TLS.

With the OpenSSL vulnerability in recent memory, administrators will want to take a similar level of diligence to ensure that GnuTLS doesn’t provide a way for hackers to interfere with their servers and applications.

About the Author

David Hamilton is a Toronto-based technology journalist who has written for the National Post and other news outlets. He has covered the hosting industry internationally for the Web Host Industry Review with particular attention to innovative hosting solutions and the issues facing the industry. David is a graduate of Queen’s University and the Humber College School of Media Studies.

Add Your Comments

  • (will not be published)