The free-software GNU Project has been hit by a serious security flaw in its TLS implementation, GnuTLS, potentially putting Linux users at risk of man-in-the-middle attacks when communicating with supposedly secure systems.

The GNU Project provides a collection of free software utilities which form the heart of many modern operating systems, most noteably Linux - more correctly termed GNU/Linux for its merging of the Linux kernel and the GNU utilities. One such utility is GnuTLS, a communications library which implements SSL, TLS and DTLS - three common protocols for encrypted communications, typically used in a web browser when sending usernames, passwords, credit card numbers or other sensitive information.

Sadly, it appears that GnuTLS has something of a flaw which allows a ne'er-do-well to implement a man-in-the-middle attack, presenting an invalid security certificate forged to seem as though it belongs to the site being visited which is then accepted without question by GnuTLS and, by extension, any software that relies on the library.

The flaw, a simple coding error resulting in sections of the program not being executed correctly, was discovered by Red Hat security specialist Nikos Mavrogiannopoulos during an audit, but is believed to have been present in the code for a number of years. 'A vulnerability was discovered that affects the certificate verification functions of all GnuTLS versions,' the project maintainers have warned. 'A specially crafted certificate could bypass certificate validation checks.'

If the flaw sounds familiar, it should: late last month Apple was hit by a near-identical issue which caused certificate validation to pass even when certificates were forged. Both Apple's TLS library and GnuTLS are open source, which led to fixes being developed rapidly once the flaw was known.

For Linux users, as well as other operating systems which use the GNU utilities, the message from the project maintainers is clear: 'Upgrade to the latest GnuTLS version.' A patch has also been made available to GnuTLS 2.12, allowing those running embedded systems based on the older branch of the software to secure against the bug.


View this in the forums