Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping

IvanIV · 05/03/14 - 12:03

Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping

"The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package."

So Apple users weren't that special after all

Now something for Windows and we can all congratulate each other

cnbcwatcher · 05/03/14 - 14:15

I thought Linux was supposed to be the most secure out of all the main computer operating systems?

IvanIV · 05/03/14 - 14:43

Necessity vs. sufficiency. A good fundament is a must, but if you use it wrongly even mighty Linux can't save you.

emptybox · 05/03/14 - 15:36

I don't pretend to understand most of that link, but seems this is a vulnerabilty that has been there since 2005 and hasn't as yet been exploited?

Anyway Linux tends to be more secure because you always have to provide the root password before any software gets installed, or any change gets made to system files.
Plus the userbase is so small that nobody bothers writing any malware for it.

1saintly · 05/03/14 - 15:42

emptybox wrote: »

I don't pretend to understand most of that link, but seems this is a vulnerabilty that has been there since 2005 and hasn't as yet been exploited?

Anyway Linux tends to be more secure because you always have to provide the root password before any software gets installed, or any change gets made to system files.
Plus the userbase is so small that nobody bothers writing any malware for it.

And it seems using a arch based distro according to the OPs link.
offers better security than Debian.
Good job I use arch then.

stu0rt · 05/03/14 - 15:49

I just did the update on my CentOS systems and the latest they can find (via yum) is 2.8, whereas the latest fixed version is 3.12!

stu0rt · 05/03/14 - 15:52

emptybox wrote: »

Anyway Linux tends to be more secure because you always have to provide the root password before any software gets installed, or any change gets made to system files.

Unfortunately this vulnerability has nothing to do with installing software. It would in theory allow anyone to view the plain-text version of any 'encrypted' data sent to any websites running on a vulnerable Linux system.

emptybox · 05/03/14 - 16:05

stu0rt wrote: »

I just did the update on my CentOS systems and the latest they can find (via yum) is 2.8, whereas the latest fixed version is 3.12!

The latest version of what though? That's what my befuddled brain couldn't glean from the article.

I'm actually writing this from my Arch install, and it's on version 3.12.8 of the kernel, whereas all my Ubuntu/Debian based ones are on 3.11 something.
Is that what it's talking about?

Maxatoria · 05/03/14 - 16:08

Its the version of the TLS package not the kernel version

zx50 · 05/03/14 - 16:16

cnbcwatcher wrote: »

I thought Linux was supposed to be the most secure out of all the main computer operating systems?

Just because it's the most secure, this doesn't mean that it's immune to viruses. This might be the first virus in goodness knows how long that's been written for it.

Edit: I'm sure the writers of these OSs will get straight onto this.

zx50 · 05/03/14 - 16:19

stu0rt wrote: »

Unfortunately this vulnerability has nothing to do with installing software. It would in theory allow anyone to view the plain-text version of any 'encrypted' data sent to any websites running on a vulnerable Linux system.

Ah, I get it now.

IvanIV · 05/03/14 - 16:27

emptybox wrote: »

I don't pretend to understand most of that link, but seems this is a vulnerabilty that has been there since 2005 and hasn't as yet been exploited?

Anyway Linux tends to be more secure because you always have to provide the root password before any software gets installed, or any change gets made to system files.
Plus the userbase is so small that nobody bothers writing any malware for it.

It's not clear if it was exploited or not. You do not always announce with fanfares that you were able to intercept something. It might be better to keep listening and keep quiet about it. Given it's all open source, anybody with enough of dedication and knowledge could have discovered it long time ago and used it.

Password protection/UAC has nothing to do with this, the code contains an error and may report it successfully verified a certain entity even when its certificate is invalid and the check should have failed. Depends on what follows it can have fatal consequences.

emptybox · 05/03/14 - 16:35

Maxatoria wrote: »

Its the version of the TLS package not the kernel version

And is the vulnerability closed by GNUTLS version 3.2.12?

http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/7341

emptybox · 05/03/14 - 16:43

Another (perhaps easier to follow?) article on it.
http://www.tomsguide.com/us/critical-linux-flaw-gnutls,news-18406.html

Seems Ubuntu/Mint users shouldn't have to wait too long for a patch?

Maxatoria · 05/03/14 - 16:46

emptybox wrote: »

And is the vulnerability closed by GNUTLS version 3.2.12?

http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/7341

looks like it

** libgnutls: Corrected certificate verification issue (GNUTLS-SA-2014-2)

** libgnutls: Corrected issue in gnutls_pcert_list_import_x509_raw
when provided with invalid data. Reported by Dmitriy Anisimkov.

kjhskj75 · 05/03/14 - 21:06

Worth pointing out that most software doesn't use GnuTLS for encrypted communications anyway.

Firefox and its friends use NSS and other stuff uses OpenSSL.

whoever,hey · 05/03/14 - 21:24

kjhskj75 wrote: »

Worth pointing out that most software doesn't use GnuTLS for encrypted communications anyway.

Firefox and its friends use NSS and other stuff uses OpenSSL.

Its worth pointing out that GnuTLS is still used in software though. Even wireshark, though i'm not sure what for!

Hey there!

Quick Links

Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping

Comments