A newly discovered bug in the popular GnuTLS library has the potential to dwarf Apples SSL encryption problems of just last week, thanks to a similar error with error checks and notifications. Thats quite a feat, considering that the Apple Goto Fail bug impacted millions of devices running both iOS and OS X, but the bug in GnuTLS looks like it will be far bigger. Over 200 applications have been identified that depend on GnuTLS and the actual list is likely much, much higher. <\/p>\n
According to Ars Technica, the problem here is similar in type to the issue that tripped up Apple. In both cases, incorrect code short-circuited the functions that are supposed to verify whether or not a proper SSL certification has actually been presented. Red Hat found the error during a security audit and describes it thus: It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. <\/p>\n
The good news is, patches are already in place for this problem. The bad news is, its going to take a long time to tease out exactly which products are affected. Because GnuTLS is open source, its not as if the organization has a checklist it can pull to contact every vendor that uses its software. Furthermore, the flaw may go all the way back to the initial code the organizations website states that anyone who uses certificate authentication in any version of GnuTLS is affected by the vulnerability. <\/p>\n<\/p>\n
The list of impacted software is enormous. Cryptographic code signing is thought to protect against exploits in most Linux distros, but Ciscos VPN software apparently relies on GnuTLS, to name just one company. Web hosts or online services that rely on GnuTLS will have to update their own software to guard users against man-in-the-middle attacks. Inevitably, there are going to be applications that arent ever updated, which will leave consumers vulnerable. <\/p>\n
The fact that similar code errors have been found in critical software that secures a great deal of back-end infrastructure as well as personal devices hopefully means that more companies are examining the guts of their security code more thoroughly. The NSA revelations of the past 12 months have been light on technical details, but the NSA clearly has sophisticated access to certain systems thanks to security flaws and hidden capabilities. Hopefully patching issues like this removes a few arrows from the governments quiver though if the NSA was, in fact, aware of either bug, it would mean the government deliberately left consumers and businesses exposed to potential malware to suit its own purposes. That wouldnt surprise many people in todays climate, but it would be a far cry from the 1970s when the NSA deliberately improved the DES standard to better guard against a then-unknown attack vector it felt might emerge in the future. <\/p>\n
<\/p>\n