Menu
Serious flaw in GnuTLS library endangers SSL clients and systems

Serious flaw in GnuTLS library endangers SSL clients and systems

A vulnerability patched in the GnuTLS library can potentially be exploited from malicious servers to execute malware on computers

A serious vulnerability that could be exploited to crash TLS clients and potentially execute malicious code on underlying systems was patched in the popular GnuTLS cryptographic library.

The memory corruption vulnerability, which is tracked as CVE-2014-3466, was fixed in GnuTLS 3.3.3, GnuTLS 3.2.15 and GnuTLS 3.1.25 released Friday. Since then, the GnuTLS developers also released GnuTLS 3.3.4 to fix a non-security-related hardware acceleration bug.

GnuTLS is an open-source implementation of the SSL (Secure Sockets Layer), TLS (Transport Layer Security) and DTLS (Datagram Transport Layer Security) protocols which are used to encrypt communications on the Internet.

While not as popular as the OpenSSL library, GnuTLS is still widely used, being shipped by default with various Linux distributions including Red Hat, Ubuntu and Debian. Over 200 Linux software packages also depend on it for SSL/TLS support.

According to an entry on the Red Hat bug tracker, a malicious server could exploit the newly patched vulnerability by sending a very long session ID value during the SSL/TLS handshake. This can crash clients that use GnuTLS and can potentially allow attackers to execute arbitrary code on the system. Red Hat flagged the issue as being of high priority and severity.

Joonas Kuorilehto, a principal systems engineer at Codenomicon, was credited with reporting the vulnerability. Researchers from the same company also found the critical Heartbleed flaw in OpenSSL earlier this year prompting a global patching effort of SSL/TLS servers and clients.

In March, the GnuTLS developers fixed a different vulnerability that could have allowed attackers to craft rogue SSL certificates for websites of their choice that would have been accepted by the library as valid.


Follow Us

Join the newsletter!

Or
Error: Please check your email address.

Tags securityprivacypatch managementmalwareencryptionRed Hatonline safetyintrusionpatchesExploits / vulnerabilitiesCodenomicon

Featured

Slideshows

Bumper channel crowd kicks off first After Hours of 2018

Bumper channel crowd kicks off first After Hours of 2018

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Jefferson in Auckland to kick-start 2018. Photos by Gino Demeer.

Bumper channel crowd kicks off first After Hours of 2018
Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Show Comments