Announcement

Collapse
No announcement yet.

New vulnerability found, GNUTLS lib, Linux possible target

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    New vulnerability found, GNUTLS lib, Linux possible target

    New vulnerability found, Linux possible target

    http://arstechnica.com/security/2014...eavesdropping/

    "The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package...."
    Kubuntu 23.11 64bit under Kernel 6.8.8, Hp Pavilion, 6MB ram. All Bow To The Great Google... cough, hack, gasp.
    Tags: None
    • Top
    • Bottom
    #2
    Originally posted by TWPonKubuntu View Post
    New vulnerability found, Linux possible target

    http://arstechnica.com/security/2014...eavesdropping/

    "The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package...."
    Changes came through today for GnuTLS on 13.10.
    Linux because it works. No social or political motives in my decision to use it.
    Always consider Occam's Razor
    Rich
    • Top
    • Bottom

    Comment

      #3
      That's good to hear, rb!

      I noticed that the currently installed gnutls files on Kubuntu 14.04, as of the latest update at 11AM CST this morning are still using the 3.2.11-2ubuntu1 version.
      https://www.kubuntuforums.net/showth...l=1#post346783

      I suspect that sometime today the fix will come through the 14.04 repository.
      "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
      – John F. Kennedy, February 26, 1962.
      • Top
      • Bottom

      Comment

        #4
        Originally posted by GreyGeek View Post
        That's good to hear, rb!

        I noticed that the currently installed gnutls files on Kubuntu 14.04, as of the latest update at 11AM CST this morning are still using the 3.2.11-2ubuntu1 version.
        https://www.kubuntuforums.net/showth...l=1#post346783

        I suspect that sometime today the fix will come through the 14.04 repository.
        The version that came through is 2.12.23-1ubuntu4.1. I am sure 14.04 will come through soon.
        Linux because it works. No social or political motives in my decision to use it.
        Always consider Occam's Razor
        Rich
        • Top
        • Bottom

        Comment

          #5
          Originally posted by richb View Post
          The version that came through is 2.12.23-1ubuntu4.1. I am sure 14.04 will come through soon.

          How to mitigate the attack?

          • Upgrade to the latest GnuTLS version (3.2.12 or 3.1.22), or apply the patch for GnuTLS 2.12.x.

          Did the update say the patch was applied, or did it apply the patch to 2.12.x?
          "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
          – John F. Kennedy, February 26, 1962.
          • Top
          • Bottom

          Comment

            #6
            The attack is not exactly hidden, the falsified certificate used will be presented as an exception that needs user approval.
            At least that's how I read the various articles.
            • Top
            • Bottom

            Comment

              #7
              Originally posted by GreyGeek View Post



              Did the update say the patch was applied, or did it apply the patch to 2.12.x?
              The way I read it, it was incorporated into 2.12.23. I did not see any mention of a patch.
              Linux because it works. No social or political motives in my decision to use it.
              Always consider Occam's Razor
              Rich
              • Top
              • Bottom

              Comment

                #8
                I've been back-tracking on the guntls problem and noticed a couple things. First, the ARS article claims that:
                The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated,
                The Chief Architect for ldap, Howard Chu, states in comment #72 of a bug report on this issue in 2010, four years ago, that:
                I read all of the diffs between 1.4.1 and 1.4.4 but didn't find any likely suspects. However, tracing the library initialization in gdb, I found the specific problem.
                Ordinarily gnutls will initialize the gcrypt library, if no app has done so already. In the gnutls initialization, it specifically turns gcrypt's secure malloc off, and everything works fine.
                However, in my trace on Lucid, libnss-ldap is linked to libldap_r, not libldap. And because libldap_r has to support threads, it is required to initialize libgcrypt's thread callbacks, and it must do this before doing anything else with libgcrypt or gnutls.
                http://www.gnupg.org/documentation/m..._002dThreading
                The problem with that is, once we do this thread initialization, libgcrypt considers itself fully initialized. When we next call gnutls's init function, it checks to see if gcrypt is init'd or not, sees that it is, and skips any further init'ing. So the secure malloc stuff remains enabled.
                So, the bug is not new and has been worked on for many years, even by Chu himself, who made a patch in #73, and in 2008 post stated:
                Looking across more of their APIs, I see that the code makes liberal use of strlen and strcat, when it needs to be using counted-length data blobs everywhere. In short, the code is fundamentally broken; most of its external and internal APIs are incapable of passing binary data without mangling it. The code is completely unsafe for handling binary data, and yet the nature of TLS processing is almost entirely dependent on secure handling of binary data.

                I strongly recommend that GnuTLS not be used. All of its APIs would need to be overhauled to correct its flaws and it's clear that the developers there are too naive and inexperienced to even understand that it's broken.
                That 2008 thread was also used as an opportunity by some to bash the GPL's "lack of cooperation" with other licenses.

                Chu repeats this theme four years later in a comment on the ARS article. His recommendation of four years ago, before and since then, has always been, of course (#55), to drop gnutls and use libnss-ldapd.
                Regardless of what the root cause turns out to be, you guys really need to switch to libnss-ldapd, which will reliably isolate the user apps from whatever junk is going on inside libldap / gnutls / whatever.
                It turns out that the RH security programmer who discovered the problem is none other than
                The CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the
                Red Hat Security Technologies Team.
                the programmer who wrote the code in 2003, Nikos Mavrogiannopoulos.

                So, the problems with gnutls are not new and there have been many bugs and patches on that code, just like most other pieces of both GPL code. The problem has been found, and in some cases already patched, with more patches coming down the line. As far as risk goes, all someone has to do is point out a security breach that can be attributed to gnutls to prove that the bad guys found the hole before Nick did. I doubt that anyone can, or we would have head about it on the NYT front pages.
                Last edited by GreyGeek; Mar 05, 2014, 08:11 PM.
                "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                – John F. Kennedy, February 26, 1962.
                • Top
                • Bottom

                Comment

                  #9
                  HUGE update this morning...
                  gnutls26 (2.12.23-12ubuntu2) trusty; urgency=medium

                  * SECURITY UPDATE: certificate validation bypass
                  - debian/patches/CVE-2014-0092.patch: correct return codes in
                  lib/x509/verify.c.
                  - CVE-2014-0092
                  "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                  – John F. Kennedy, February 26, 1962.
                  • Top
                  • Bottom

                  Comment

                    #10
                    Yep! Got it here!
                    • Top
                    • Bottom

                    Comment

                    Previous template Next
                    Working...
                    X