http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/
By Dan Goodin
Ars Technica
Mar 4 2014
Hundreds of open source packages, including the Red Hat, Ubuntu, and
Debian distributions of Linux, are susceptible to attacks that circumvent
the most widely used technology to prevent eavesdropping on the Internet,
thanks to an extremely critical vulnerability in a widely used
cryptographic code library.
The bug in the GnuTLS library makes it trivial for attackers to bypass
secure sockets layer (SSL) and Transport Layer Security (TLS) protections
available on websites that depend on the open source package. Initial
estimates included in Internet discussions such as this one indicate that
more than 200 different operating systems or applications rely on GnuTLS
to implement crucial SSL and TLS operations, but it wouldn't be surprising
if the actual number is much higher. Web applications, e-mail programs,
and other code that use the library are vulnerable to exploits that allow
attackers monitoring connections to silently decode encrypted traffic
passing between end users and servers.
The bug is the result of commands in a section of the GnuTLS code that
verify the authenticity of TLS certificates, which are often known simply
as X509 certificates. The coding error, which may have been present in the
code since 2005, causes critical verification checks to be terminated,
drawing ironic parallels to the extremely critical "goto fail" flaw that
for months put users of Apple's iOS and OS X operating systems at risk of
surreptitious eavesdropping attacks. Apple developers have since patched
the bug.
"It was discovered that GnuTLS did not correctly handle certain errors
that could occur during the verification of an X.509 certificate, causing
it to incorrectly report a successful verification," an advisory issued by
Red Hat warned. "An attacker could use this flaw to create a specially
crafted certificate that could be accepted by GnuTLS as valid for a site
chosen by the attacker."
[...]
--
Find the best IT Security talent without breaking your recruiting budget.
Jobs cross-posted to Simply Hired, Facebook and LinkedIn.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/
