A variety of Linux distributions are vulnerable to hacks because of a bug that allows people to bypass security protocols to intercept and disseminate encrypted information. A member of the Red Hat security team discovered a bug in the GnuTLS library that allows hackers to easily circumvent the Transport Layer Security (TLS) and secure sockets layer (SSL).
The vulnerability affects the certificate verification, meaning secure connections that are supposedly going through as secure, are not. Someone could compromise a secure connection by using a “man-in-the-middle” attack, acting as the server to intercept traffic, financial transactions or secure information.
Apple suffered its own flaw last week when researchers discovered a critical security vulnerability that allowed hackers to spoof servers and intercept supposedly secure data from Apple’s servers. In terms of numbers of users affected, the GnuTLS flaw is considerably smaller than Apple’s bug, which affected iOS and Mac devices alike, but patching the GnuTLS vulnerability for all Linux users will be harder.
A Red Hat representative offered a statement to ReadWrite:
Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team and GnuTLS project discovered a certificate verification security issue affecting GnuTLS on February 19th, 2014 whilst auditing the code. We then used our standard processes to notify and work with other affected distributions in advance. Updates to correct this flaw were released on 3rd March 2014 from Red Hat, GnuTLS, and others.
Red Hat offers an advisory that explains how GnuTLS users can upgrade to packages that correct the issue.
According to Ars Technica, over 200 different operating systems or applications are vulnerable. The bug impacts a number of open source packages including Ubuntu, Debian and Red Hat distributions of Linux. It is still unconfirmed exactly how many systems or applications are vulnerable to the flaw.
Complaints as far back as 2008 point to insecurities in the GnuTLS code. One thread on an OpenLDAP forum, posted by the chief architect at software company Symas, suggested the GnuTLS code is broken, and “completely unsafe for handling binary data, and yet the nature of TLS processing is almost entirely dependent on secure handling of binary data.”
See Also: Keep Learning Linux—It’s The Future
An advisory from GnuTLS tells users to update to the most recent version, or apply the patch listed on its site, to fix the problem. Debian also released an advisory about the bug, offering similar instructions.
How It’s Worse Than Apple’s Security Flaw
After Apple discovered its SSL bug last week, the company quickly responded with emergency bug fixes for iOS and OS X shortly thereafter. Apple was, more or less, able to release fixes across its desktop and mobile ecosystems in one fell swoop—roughly about four days apart—but not before a man-in-the-middle proof of concept was published to take advantage of Apple’s iOS and OS X exploit.
Unlike Apple customers, Linux users don’t all run the same operating system that can easily be updated, and companies have to do more than test the patch on a handful of packages.
“It’s not just a matter of patching these bugs, but you have to go back and see how the software reacts to the patch—so many software packages in the scope of getting fixed,” said Casey Ellis, security researcher and CEO of the firm Bugcrowd. “Not only are there multiple software packages, but you have multiple clients and software packages on top of that.”
This goto fail; website determines whether your software is vulnerable to the Apple bug, and it now works for the GnuTLS bug, too. Ellis confirmed the website works for figuring out if client software is vulnerable, but it is not as reliable as it was for the Apple bug. A single “pass” might not be accurate since multiple software packages could be installed on a system.
However, as CloudWeaver founder and CTO Carlo Daffara points out, the GnuTLS bug isn’t nearly as big a deal as Apple’s SSL bug.
The exact number of users affected by the GnuTLS bug is unclear, and unlike Apple’s proprietary software, open source updates are optional. So, if there is a vulnerability on one server, each server represents thousands of users that could potentially be affected. But at least the GnuTLS bug fix out there already—now it’s just up to people to upgrade.
“The Apple bug was a big deal because it affected [millions] of mobile consumers, but the scope of people affected by [the GnuTLS vulnerability] is probably smaller,” Ellis said. “It’s worse because it will take a lot longer to clean up. In terms of being messy and difficult to recover from, it’s worse.”
Image courtesy of Home of Chaos on Flickr.