Serious flaw in GnuTLS library endangers SSL clients and systems

A vulnerability patched in the GnuTLS library can potentially be exploited from malicious servers to execute malware on computers

A serious vulnerability that could be exploited to crash TLS clients and potentially execute malicious code on underlying systems was patched in the popular GnuTLS cryptographic library.

The memory corruption vulnerability, which is tracked as CVE-2014-3466, was fixed in GnuTLS 3.3.3, GnuTLS 3.2.15 and GnuTLS 3.1.25 released Friday. Since then, the GnuTLS developers also released GnuTLS 3.3.4 to fix a non-security-related hardware acceleration bug.

GnuTLS is an open-source implementation of the SSL (Secure Sockets Layer), TLS (Transport Layer Security) and DTLS (Datagram Transport Layer Security) protocols which are used to encrypt communications on the Internet.

While not as popular as the OpenSSL library, GnuTLS is still widely used, being shipped by default with various Linux distributions including Red Hat, Ubuntu and Debian. Over 200 Linux software packages also depend on it for SSL/TLS support.

According to an entry on the Red Hat bug tracker, a malicious server could exploit the newly patched vulnerability by sending a very long session ID value during the SSL/TLS handshake. This can crash clients that use GnuTLS and can potentially allow attackers to execute arbitrary code on the system. Red Hat flagged the issue as being of high priority and severity.

Joonas Kuorilehto, a principal systems engineer at Codenomicon, was credited with reporting the vulnerability. Researchers from the same company also found the critical Heartbleed flaw in OpenSSL earlier this year prompting a global patching effort of SSL/TLS servers and clients.

In March, the GnuTLS developers fixed a different vulnerability that could have allowed attackers to craft rogue SSL certificates for websites of their choice that would have been accepted by the library as valid.

Join the PC World newsletter!

Error: Please check your email address.

Tags patchesonline safetysecuritypatch managementencryptionRed HatExploits / vulnerabilitiesmalwareprivacyCodenomiconintrusion

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?