Loading ...
Sorry, an error occurred while loading the content.

SSL and TLS broken and now open to even 12-year-old script kiddies

Expand Messages
  • Thad Floryan
    http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/ Critical crypto bug leaves Linux, hundreds of
    Message 1 of 10 , Mar 4, 2014
    • 0 Attachment
      http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/

      Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping

      "Hi Ho, Hi Ho, it's back to Windows we go". :-)

      This GnuTLS bug is worse than the big Apple "goto fail" bug patched last week.

      by Dan Goodin - Mar 4, 2014 6:56 pm UTC

      Hundreds of open source packages, including the Red Hat, Ubuntu, and
      Debian distributions of Linux, are susceptible to attacks that
      circumvent the most widely used technology to prevent eavesdropping on
      the Internet, thanks to an extremely critical vulnerability in a widely
      used cryptographic code library.

      The bug in the GnuTLS library makes it trivial for attackers to bypass
      secure sockets layer (SSL) and Transport Layer Security (TLS)
      protections available on websites that depend on the open source
      package. Initial estimates included in Internet discussions such as this
      one indicate that more than 200 different operating systems or
      applications rely on GnuTLS to implement crucial SSL and TLS operations,
      but it wouldn't be surprising if the actual number is much higher. Web
      applications, e-mail programs, and other code that use the library are
      vulnerable to exploits that allow attackers monitoring connections to
      silently decode encrypted traffic passing between end users and servers.

      The bug is the result of commands in a section of the GnuTLS code that
      verify the authenticity of TLS certificates, which are often known
      simply as X509 certificates. The coding error, which may have been
      present in the code since 2005, causes critical verification checks to
      be terminated, drawing ironic parallels to the extremely critical "goto
      fail" flaw that for months put users of Apple's iOS and OS X operating
      systems at risk of surreptitious eavesdropping attacks. Apple developers
      have since patched the bug.

      "It was discovered that GnuTLS did not correctly handle certain errors
      that could occur during the verification of an X.509 certificate,
      causing it to incorrectly report a successful verification," an advisory
      issued by Red Hat warned. "An attacker could use this flaw to create a
      specially crafted certificate that could be accepted by GnuTLS as valid
      for a site chosen by the attacker."

      GnuTLS developers published this bare-bones advisory that urges all
      users to upgrade to version 3.2.12. The flaw, formally indexed as
      CVE-2014-0092, is described by a GnuTLS developer as "an important (and
      at the same time embarrassing) bug discovered during an audit for Red
      Hat." Debian's advisory is here. Distant relative of “goto fail”

      As was the case with last week's critical encryption bug from Apple, the
      GnuTLS vulnerability is the result of someone making mistakes in source
      code that controls critical functions of the program. This time, instead
      of a single misplaced "goto fail" command, the mistakes involve errors
      with several "goto cleanup" calls. The GnuTLS program, in turn,
      prematurely terminates code sections that are supposed to establish
      secure TLS connections only after the other side presents a valid X509
      certificate signed by a trusted source. Attackers can exploit the error
      by presenting vulnerable systems with a fraudulent certificate that is
      never rejected, despite its failure to pass routine security checks. The
      failure may allow attackers using a self-signed certificate to pose as
      the cryptographically authenticated operator of a vulnerable website and
      to decrypt protected communications. It's significant that no one
      managed to notice such glaring errors, particularly since they were
      contained in code that anyone can review.

      Security researchers are still studying the vulnerability and assessing
      its effect on the wide array of OSes and applications that depend on
      GnuTLS. For the moment, readers should assume that the severity is
      critical given the dizzying amount of downstream code that may be
      affected. One example: the apt-get installer some distributions of Linux
      use to distribute and update applications relies on GnuTLS, although
      exploits against the package can probably be caught by cryptographic
      code-signing of the downloaded program (thanks to readers for pointing
      out this secondary level of protection). Version 3 of lib-curl, which is
      distributed in Debian and Ubuntu, also depends on GnuTLS. Some Debian-
      and Ubuntu-based virtual private networking applications that work with
      Cisco Systems hardware are also affected. This list goes on and on.

      Matt Green, a Johns Hopkins University professor specializing in
      cryptography, characterized the vulnerability this way: "It looks pretty
      terrible."

      Kenneth White, a principal security engineer of Social & Scientific
      Systems, agreed, saying the vulnerability "has a lot of side effects."
    • Thad Floryan
      ... I posted the same article on Usenet s ba.internet which has received 2 replies so far: (1) ... and (2) ... Thad
      Message 2 of 10 , Mar 4, 2014
      • 0 Attachment
        On 3/4/2014 9:24 PM, Thad Floryan wrote:
        > http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/
        >
        > Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
        >
        > "Hi Ho, Hi Ho, it's back to Windows we go". :-)
        >
        > This GnuTLS bug is worse than the big Apple "goto fail" bug patched last week.
        > [...]

        I posted the same article on Usenet's ba.internet which has received
        2 replies so far:

        (1)
        | It does sound very bad. So I'm wondering why RedHat didn't label
        | it as "critical":
        |
        | https://rhn.redhat.com/errata/RHSA-2014-0246.html
        |
        | RH's score for it is only 5.8:
        |
        | https://access.redhat.com/security/cve/CVE-2014-0092
        |
        | The scoring criteria they use don't seem to imply that this would
        | be "critical:
        |
        | https://access.redhat.com/site/security/updates/classification/

        and
        (2)

        | I checked several of my Linux servers and NONE of them have
        | GnuTLS installed. They all use OpenSSL.

        Thad
      • ed
        ... I was thinking openssl is the more popular and more likely yo use available HW than GnuTLS. Currently blocked on Debian.
        Message 3 of 10 , Mar 5, 2014
        • 0 Attachment
          On Tue, Mar 04, 2014 at 11:04:21PM -0800, Thad Floryan wrote:
          > On 3/4/2014 9:24 PM, Thad Floryan wrote:
          > > http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/
          > >
          > > Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
          > >
          > > "Hi Ho, Hi Ho, it's back to Windows we go". :-)
          > >
          > > This GnuTLS bug is worse than the big Apple "goto fail" bug patched last week.
          > > [...]
          >
          > I posted the same article on Usenet's ba.internet which has received
          > 2 replies so far:

          > | I checked several of my Linux servers and NONE of them have
          > | GnuTLS installed. They all use OpenSSL.

          I was thinking openssl is the more popular and more likely yo use
          available HW than GnuTLS.

          Currently blocked on Debian.

          <https://www.debian.org/security/2014/dsa-2869>

          --
          Best regards,
          Ed http://www.s5h.net/
        • Godwin Stewart
          ... Updates already out for Ubuntu server 12.04.4 LTS by the looks of it. -- Godwin Stewart --
          Message 4 of 10 , Mar 5, 2014
          • 0 Attachment
            On 05/03/2014 05:24, Thad Floryan wrote:

            > http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/
            >
            > Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping

            Updates already out for Ubuntu server 12.04.4 LTS by the looks of it.

            --
            Godwin Stewart -- <grs.ygroups@...>
          • catbit_1999
            This is interesting, I m trying to reply from yahoo s interface. Wow, it really is terrible, doesn t even show the previous message in line, just in a
            Message 5 of 10 , Mar 5, 2014
            • 0 Attachment
              This is interesting, I'm trying to reply from yahoo's interface. Wow, it really is terrible, doesn't even show the previous message in line, just in a separate box above--so if this comes out top posted, we know why.

              Anyway, RedHat and CentOS have also released updates.

              http://lists.centos.org/pipermail/centos-announce/2014-March/020185.html
            • Godwin Stewart
              ... No context at all and lines not wrapped at 70-odd characters. Bleurghhh... Really Scott, you should know better :) -- Godwin Stewart --
              Message 6 of 10 , Mar 5, 2014
              • 0 Attachment
                On 05/03/2014 10:53, scottro@... wrote:

                > This is interesting, I'm trying to reply from yahoo's interface.
                > Wow, it really is terrible, doesn't even show the previous message in
                > line, just in a separate box above--so if this comes out top posted,
                > we know why.

                No context at all and lines not wrapped at 70-odd characters. Bleurghhh...

                Really Scott, you should know better :)

                --
                Godwin Stewart -- <grs.ygroups@...>
              • Scott
                ... Oh, I get it now. I would have had to copy from the previous message into the reply box. I could have sworn that I didn t make that
                Message 7 of 10 , Mar 5, 2014
                • 0 Attachment
                  On Wed, Mar 05, 2014 at 02:53:33AM -0800, scottro@... wrote:
                  >
                  > This is interesting, I'm trying to reply from yahoo's interface. Wow, it really is terrible, doesn't even show the previous message in line, just in a separate box above--so if this comes out top posted, we know why.
                  >
                  > Anyway, RedHat and CentOS have also released updates.
                  >
                  > http://lists.centos.org/pipermail/centos-announce/2014-March/020185.html

                  Oh, I get it now. I would have had to copy from the previous message into
                  the reply box. I could have sworn that I didn't make that
                  longggggggggggggggggggggggggg line so long in the one above.

                  So, on the bright side, the new interface probably encourages people to
                  trim as it becomes an effort to cut and paste the email to which you're
                  replying.


                  --
                  Scott Robbins
                  PGP keyID EB3467D6
                  ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 )
                  gpg --keyserver pgp.mit.edu --recv-keys EB3467D6
                • Thad Floryan
                  ... One person in Usenet s ba.internet group posted the following which is clear evidence of sloppy coding, lack of structured design, and total lack of both
                  Message 8 of 10 , Mar 5, 2014
                  • 0 Attachment
                    On 3/4/2014 9:24 PM, Thad Floryan wrote:
                    > http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/
                    >
                    > Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
                    >
                    > "Hi Ho, Hi Ho, it's back to Windows we go". :-)
                    >
                    > This GnuTLS bug is worse than the big Apple "goto fail" bug patched last week.
                    > [...]

                    One person in Usenet's ba.internet group posted the following
                    which is clear evidence of sloppy coding, lack of structured
                    design, and total lack of both any QA and peer review and the
                    idiocy of using 'goto' in a C program:

                    " I agree with your assertion that it's a better practice to
                    " initialize your return variable in a failed state. The real
                    " problem was the duplicated "goto fail" line. Our coding
                    " standards at my work are to use braces for all conditionals
                    " including one liners. It's just easier to evaluate and review
                    " each others code.
                    "
                    " Here's that offending code. The bug is pretty clear:
                    "
                    " [...]
                    " static OSStatus
                    " SSLVerifySignedServerKeyExchange(
                    " SSLContext *ctx, bool isRsa, SSLBuffer signedParams,
                    " uint8_t *signature, UInt16 signatureLen)
                    " {
                    " OSStatus err;
                    " ...
                    "
                    " if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
                    " goto fail;
                    " if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
                    " goto fail;
                    " goto fail;
                    " if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
                    " goto fail;
                    " ...
                    "
                    " fail:
                    " SSLFreeBuffer(&signedHashes);
                    " SSLFreeBuffer(&hashCtx);
                    " return err;
                    " }
                    " [...]
                  • Thad Floryan
                    ... And another person just commented in ba.internet this shows the fallacy of assuming there are no NSA backdoors in linux since the proverbial millions of
                    Message 9 of 10 , Mar 5, 2014
                    • 0 Attachment
                      On 3/5/2014 2:23 PM, Thad Floryan wrote:
                      > On 3/4/2014 9:24 PM, Thad Floryan wrote:
                      >> http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/
                      >>
                      >> Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
                      >>
                      >> "Hi Ho, Hi Ho, it's back to Windows we go". :-)
                      >>
                      >> This GnuTLS bug is worse than the big Apple "goto fail" bug patched last week.
                      >> [...]
                      >
                      > One person in Usenet's ba.internet group posted the following
                      > which is clear evidence of sloppy coding, lack of structured
                      > design, and total lack of both any QA and peer review and the
                      > idiocy of using 'goto' in a C program:
                      > [...]

                      And another person just commented in ba.internet this shows the
                      fallacy of assuming there are no NSA backdoors in linux since the
                      proverbial "millions of eyes reviewing the source code" is just so
                      much BS -- it never happens and there could be 1000s of backdoors
                      in 1000s of programs in all distros' repositories and no one but
                      the malefactors would know of their existence.

                      In other words: FOSS has hardly any peer review and very little,
                      if any, QA.

                      Thad
                    • Thad Floryan
                      This article appeared today though PC World s web pages never carry a dateline (not even in the article URL) which is really sloppy journalism:
                      Message 10 of 10 , Mar 6, 2014
                      • 0 Attachment
                        This article appeared today though PC World's web pages never
                        carry a dateline (not even in the article URL) which is really
                        sloppy journalism:

                        http://www.pcworld.com/article/2105145/what-you-need-to-know-about-the-gnutls-linux-bug.html

                        There are a LOT of embedded links in the article so I felt it
                        best to just post the article URL and you can click the links
                        of interest to you.

                        Thad
                      Your message has been successfully submitted and would be delivered to recipients shortly.