GnuTLS Flaw Exposes Hundreds of Apps to Intrusion on Windows/Linux/BSD

A critical vulnerability in GnuTLS has been discovered by the Red Hat Linux team that could cause bad certificates to be certified as good. The "bug" is eerily similar in nature to the "goto fail" SSL bug that was discovered for Apple iOS in January of this year. Conspiracy theories aside, this shows how hard it can be to create and maintain a strong security infrastructure.

Unfortunately GnuTLS is popular among free operating systems because there are concerns over licensing issues with the stronger OpenSSL library. It is often integrated into operating system core functions like updates and remote access, and it is sometimes used for web servers like Apache and Nginx.

The vulnerability is critical because it would allow an attacker with privileged network access to "man-in-the-middle" a vulnerable computer without the user knowing. This could be done to give servers with automated updates a bogus update that compromises the machine, for example.

The flaw is described on their security alerts page here: http://gnutls.org/security.html and the CVE entry is here but has not yet been updated to disclose the full vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092

There is a patch available already to close the vulnerability. If your machines are using GnuTLS, be sure to update them immediately!


< last
next >