Security

GnuTLS Hello Vulnerability Poses Potential Risks to Secure Servers and Applications

Add Your Comments

Security researchers have found a vulnerability in GnuTLS, a secure communications library for SSL, TLS and DTLS protocols and associated technologies, which has experts urging users to update GnuTLS.

According to a bug description posted by Red Hat, “A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code.”

A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code.”

In a blog post from radare, which creates reverse engineering frameworks, it showed that its r2 software could be used to exploit the vulnerability. radare recommends updating GnuTLS to version 3.1.25, 3.2.15 or 3.3.4. There is also a patch available from Red Hat programmer Nikos Mavrogiannopoulos.

GnuTLS credits Joonas Kuorilehto of Codenomicon as the individual who originally discovered the vulnerability. Codenomicon employees were among those that found the Heartbleed bug, a devastating vulnerability in OpenSSL that presented risks for many high-profile sites.

As TechWorld’s Lucian Constantin notes, GnuTLS is an open-source transport-layer security library similar to OpenSSL, but less popular. Yet it is still widely used. It is shipped by default in Red Hat, Ubuntu and Debian, and more than 200 Linux software packages depend on it for SSL/TLS.

With the OpenSSL vulnerability in recent memory, administrators will want to take a similar level of diligence to ensure that GnuTLS doesn’t provide a way for hackers to interfere with their servers and applications.

Add Your Comments

  • (will not be published)