GnuTLS patch fixes certificate verification problem

A flaw in GnuTLS, which would enable an attacker to bypass certificate validation checks, has been patched. Fixes are being pushed to all major Linux distributions.

Nikos Mavrogiannopoulos, the developer of GnuTLS, announced on Monday that an audit performed by Red Hat discovered the "important (and at the same time embarrassing) bug."

At issue is the certificate verification checks used by GnuTLS. Using a specific type of fake certificate, an attacker would be able to get GnuTLS to accept it as valid, granting access to what would otherwise be secure communications. If successful, that enables them with the ability to sit on the wire and monitor traffic in clear text, or inject code of their choosing – creating a wider surface of attack.

The issue impacts versions of GnuTLS 3.2.11 / 3.1.21 and earlier. The fix is available now in versions 3.2.12  3.1.22.

According to the security advisories on LWN, Debian, Mageia, Oracle, Red Hat, Scientific Linux, Slackware, SUSE, and Ubuntu have all pushed updated versions to their users. It's advised that these patches are applied immediately.

The lesson to learn with the disclosure of this bug isn't that it's embarrassing.

Flaws happen in code, and some of them will be serious. No, embarrassment shouldn't be the focus. The lesson here is that code analysis works, and consistent checks after the code as been deployed could catch things that might be missed during normal QA audits.

This is exactly why Red Hat wanted the audits performed. But unfortunately, they're a massive enterprise operation, so they have the time, and more importantly, the resources to push such initiatives into reality.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.