Linux Security Vulnerability Leaves Users Open to Attacks

Not so long ago, headlines were hit by the news of a variety of Linux distributions found to be vulnerable to attacks caused by a bug that allows perpetrators bypass various key security protocols. As a result, they are able to intercept and disseminate information that is supposed to be secure, because it is encrypted. The Red Hat security team discovered the vulnerability in the GnuTLS library that makes it possible for the intruders to circumvent the TLS, transport layer security, and SSL, secure sockets layer.

The vulnerability in question damages the certificate verification process, which means that connections that were supposed to be secure, are, in fact, not. Perpetrators could compromise the seemingly secure connection using a man-in-the-middle attack, acting like a server to be able to intercept traffic, secure information or financial transactions.

Not so long ago, we reported about Apple patching its own security bug when researchers found a critical flaw that allowed hackers to fool servers and intercept secure data transmission from Apple’s servers. If compared, Apple’s users are far more numerous than the Linux, and the Linux flaw is considerably smaller than that of Apple, which made vulnerable not only mobile devices, but also Macs. Nevertheless, the challenge here is the patching, which will be significantly more difficult for the GnuTLS vulnerability.

Here’s the part of the statement from the Red Hat security team:

“Nikos Mavrogiannopoulos of the Red Hat security technologies team and GnuTLS project discovered a certificate verification security issue affecting GnuTLS on 19 February, 2014 whilst auditing the code. We then used our standard processes to notify and work with other affected distributions in advance. Updates to correct this flaw were released on 3 March, 2014 from Red Hat, GnuTLS, and others.”

In addition, Red Hat issued an advisory that explains how users can upgrade to patched packages.

According to Ars Technica, more than 200 operating systems of various kinds and applications are vulnerable. The flaw affects a large number of open source packages including:

• Ubuntu
• Debian
• Red Hat distributions of Linux.

It is still not clear how many systems and software packages are vulnerable. However, we can track back fluctuating reports of insecurities in the GnuTLS as far as to 2008. For example, this OpenLDAP forum thread was created by the chief architect at Symas software company, suggesting that the GnuTLS codes was broken and “completely unsafe for handling binary data, and yet the nature of TLS processing is almost entirely dependent on secure handling of binary data.”

The advisory from Red Hat team strongly recommends all the users to update to the most recent version, or fix the problem manually applying the patch listed on the website. Debian also released a guide about the bug and similar instructions as to how to patch it.

Why This Bug Is Worse Than Apples Security Vulnerability

When Apple’s security flaw in SSL has been discovered last week, the company responded quickly and issued emergency bug fixes for iOS, and shortly thereafter for OS X. The company was capable of releasing quick fixes across its mobile and desktop echo systems in one quick swoop – roughly about several days apart only – but not before the exploit was published online with a proven men-in-the middle attack that takes advantage of the Apple’s security flaw.

Unlike Apple users, Linux users use extremely different kinds of operating systems that get easily updated and their respective companies have to do a lot more testing to patch large number of packages.

“It’s not just a matter of patching these bugs, but you have to go back and see how the software reacts to the patch – so many software packages in the scope of getting fixed. Not only are there multiple software packages, but you have multiple clients and software packages on top of that,” said representative of the security firm Bugcrowd Casey Ellis.

How to Check If You Are Vulnerable

This website can determine if your software is vulnerable to the Apple flaw, and now it works to determine the GnuTLS vulnerability, too. Ellis confirms the website functions to effectively sort out if the client’s software is susceptible to the vulnerability, but the GnuTLS vulnerability testing results are not as reliable as those for the Apple bug. As a result, a single “pass” is not enough to make an accurate decision since there are too many software packages that may be installed on the system.

On the other hand, the GnuTLS bug is not nearly as big as that of Apple SSL, according to Carlo Daffara, founder and CTO of CloudWeaver:

“Oh, come on. The Apple bug affected all SSL connection. GnuTLS is hardly used at all, and certainly not by people that needs good crypto.”

We have yet to share some official statistics about how many people were actually affected by the GnuTLS bug, and in contrast to Apple’s proprietary software, the open source updates are so liberal as to be optional. As a result, if there is a flaw on one server, each server stands for thousands of users that can be potentially affected. The best news is the patch is already out there, and it’s up to users to upgrade.

“The Apple bug was a big deal because it affected millions of mobile consumers, but the scope of people affected by the GnuTLS vulnerability is probably smaller. It’s worse because it will take a lot longer to cleanup. In terms of being messy and difficult to recover from, it’s worse,” said Ellis.

You can find the GnuTLS bug fix here.