Many Linux distributions appear vulnerable to critical GnuTLS bug

Many open source software, including the Linux distributions of Red Hat, Debian and Ubuntu, have been found to be vulnerable due to a bug in the GnuTLS library that makes it possible to bypass SSL and TLS and trap Internet traffic. The bug is reminiscent of a recent Apple leak.

GnuTLS is a ssl/tls implementation library and many open source software, including operating systems and hundreds of programs, use it. However, there appears to be a bug in the GnuTLS code, which makes it possible to circumvent the ssl/tls protection. SSL and TLS are the main encryption protocols for internet traffic and they prevent important communications such as internet banking and webmail from being intercepted.

The error in the code prevents certain verification checks from being performed. This means that no proper authentication of the tls or X509 certificates takes place and invalid certificates can be accepted as valid, Existentialize describes. The bug may have been in the code for years and the reason it went undetected would be because it is difficult to thoroughly test tls implementations.

Apple recently found out, too: Both iOS and OS X were found to be susceptible to ssl and tls bypassing due to a flaw in code that’s come to be called the “goto fail,” after the double-entry of that line of code that caused the bug. Apple has fixed the vulnerability in both operating systems. The GnuTLS bug was discovered during an audit for Red Hat. A GnuTLS developer calls the bug “embarrassing.” GnuTLS recommends upgrading to version 3.2.12. Because the library is woven into so much software, it will probably take a long time to update all programs and operating systems.