Over the past few weeks, we’ve seen some serious Zero Day vulnerabilities in both Microsoft and Apple software. We had the Internet Explorer exploit in late February (for which a workaround has been issued but which hasn’t yet been patched) and the iOS and OS X “goto fail” coding flaw that has now been patched for both the mobile and desktop operating systems. Well, now it’s Linux’s turn.
This week, reports appeared that a new Zero Day bug has been found in the cryptographic code library that’s used by hundreds of different distros of the open source Linux operating system. The GnuTLS library, as its name implies, is implementation of the Transport Layer Security (TLS) protocol and its predecessor, Secure Sockets Layer (SSL). Its purpose is to provide a way for Linux client applications to establish secure communications over a TCP/IP network such as the Internet.
Web sites such as financial sites and those that ask for personal information use SSL/TLS to encrypt that data as it travels across the Internet from client to server. Without those protections, credit card numbers, bank account numbers, social security numbers, medical information and other confidential data that’s entered into web forms could potentially be intercepted and used by attackers for identity theft and other criminal purposes. SSL/TLS can also be used to protect email and data sent to social networking sites and other applications.
This particular vulnerability can be exploited to bypass the protection of SSL/TLS. As with the Apple vulnerability, there is an error in the code that allows for eavesdropping or “man in the middle” attacks, because important mechanisms for checking the authenticity of the digital certificates on which SSL/TLS is based are not properly implemented. The really scary thing is that, also like the Apple bug, this vulnerability most likely been present for a long time. It’s just now coming to light, possibly because the publicity surrounding the Apple issue caused researchers to check the Linux code for the same problem.
As for the technical details, unlike the Apple situation there was more than one error in the code, and they’re related to a “goto cleanup” command. This results in the acceptance of fraudulent certificates that should have been rejected if the verification process was working correctly. An attacker could use this fraudulent certificate to decrypt data that was supposed to be secured.
Open source software is often touted as being more secure because anyone can review the code and, in theory, such errors will be found and corrected more quickly. It appears in this case, that didn’t work so well. Some security experts are calling this vulnerability even more serious than the iOS/OS X one, although with Apple having 7.68 percent of the desktop market share with OS X and 52.96 percent of mobile market share with iOS, in comparison with Linux’s 1.48 percent, according to NetMarketShare statistics for February 2014, its impact is less far-reaching.
The Linux-based Android operating system uses a different SSL/TLS library (OpenSSL), but there may be Android apps that use GnuTLS. The GnuTLS library can also be used in Windows and OS X, as well as any UNIX operating system.
The good news is that, now that the word is out, the Linux community is moving to fix it. An update, GnuTLS 3.2.12, patches the hole. Some Linux vendors will distribute this as an automatic update; other distros may have to be patched manually.