Sign in with
Sign up | Sign in

Critical Linux Flaw Threatens More Systems Than You Think

By - Source: Tom's Guide US | B 25 comments
Tags :

A serious bug in the open-source GnuTLS library, used by many Linux variants, undermines the encryption that keeps Web traffic safe from snoops and attackers and is similar to the "goto fail" Apple bug discovered last month. 

But wait. It's Linux — why should Windows and Mac users care? Because Linux exists in more places than the average computer user might realize, and the Linux distributions, or variants, affected by this security flaw are among the most widely used.

MORE: 7 Ways to Lock Down Your Online Privacy

First of all, Red Hat Enterprise Linux is widely used by Internet servers, which host Web pages that you access from any computer.

Another affected distribution, Ubuntu Linux, is the most common version of Linux used on personal computers. Ubuntu is also the basis of other Linux distributions, including Linux Mint and SteamOS. 

Android is Linux-based as well, but uses OpenSSL, a different SSL/TLS library (see below for an explanation) by default. Android owners should generally be safe from the GnuTLS bug, although it's possible that some individual apps may use GnuTLS.

The GnuTLS library can be used in Windows or in any Unix-like OS, which includes Linux and Mac OS X. Any piece of software that uses the GnuTLS library is affected by the bug.

Here's how the bug itself works: The gnuTLS library provides the code that lets the computer connect securely to the Internet via the SSL, TLS and DTLS protocols. These protocols encrypt your Web traffic data while it's in transit so that snoops on the network can't see your personal information, or modify the data packets in a man-in-the-middle attack. 

The GnuTLS library has several errors that lets attackers force acceptance of a false SSL/TLS certificate (called an X.509 certificate), thus allowing attackers to decrypt Internet traffic on targeted computers. Even worse, this bug may have existed in the code since 2005. 

The nature of this bug is similar to the equally critical "goto fail" bug discovered and patched in Apple's Mac OS X, iOS and Apple TV operating systems late in February.

In both cases, the errors undermined SSL/TLS encryption, leaving victims unprotected. Both bugs also appear to result from simple human error on the part of software coders.

In the GnuTLS case, however, the fact that the bug existed for so long is surprising, since anyone can review open-source code. (No outside eyes noticed the bug in Apple's open-source Secure Transport SSL/TLS library either.)

Fortunately, a solution already exists: updating to GnuTLS 3.2.12. Ubuntu and Linux Mint users will get this rolled into their daily update notifications; Red Hat Enterprise will have to be manually patched by IT departments.

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 4 Hide
    Rhinofart , March 4, 2014 4:10 PM
    Really? No comments saying "Linux sucks"? If this was any other OS, the fanbois would be all over it. Just goes to show NO OS is infalable.
  • 4 Hide
    b23h , March 4, 2014 4:16 PM
    yea, the every present Linux fanboys are deathly silent. I guess that excellent opensource code wasn't quite so excellent.
  • 0 Hide
    TFrog , March 4, 2014 4:52 PM
    You'll note that this critical flaw was fixed the very same day. You Microsloth fanboys WON'T get that kind of speed from Microsloth to fix a critical error. Linux remains to be one of if not the BEST OS bar none. And it's free unlike Microsloth Winbloze.
  • Display all 25 comments.
  • 5 Hide
    irish_adam , March 4, 2014 4:58 PM
    Quote:
    Really? No comments saying "Linux sucks"? If this was any other OS, the fanbois would be all over it. Just goes to show NO OS is infalable.
    no internet enabled device is 100% secure and it never will be. All you can hope for is that once these flaws are found they are fixed ASAP. I will note though for the money you pay for Apple products and Windows you would assume that they would fix their problems faster than Linux which is free
  • 5 Hide
    b23h , March 4, 2014 6:10 PM
    Quote:
    You'll note that this critical flaw was fixed the very same day. You Microsloth fanboys WON'T get that kind of speed from Microsloth to fix a critical error. Linux remains to be one of if not the BEST OS bar none. And it's free unlike Microsloth Winbloze.
    ah, you mean nine years later. I thought one of the supposed strong points of open source software was that bugs would be noticed and fixed earlier.
  • 1 Hide
    antilycus , March 4, 2014 6:50 PM
    There is still a REALLY evil MS bug that wipes out all users redirected folders in Active Directory that has existed since Windows Server 2003 and is still there in Windows Server 2012. Microsoft answer is "change a setting before it happens" and is not set by default( and is very difficult to find ) we know of companies that have lost millions because of this bug.
  • 7 Hide
    Harry Callahan , March 4, 2014 6:53 PM
    This article leaves out several important details. Full disclosure, I'm a Linux fanboy, I guess; I started using Linux eighteen years ago and all my computers run Linux.The main point to understand is that only a small minority of Linux software uses GnuTLS. No web browsers on Linux use GnuTLS for certificate validation. (Google Chrome does use GnuTLS, but not for certificate validation; it uses NSS for certificate validation.) No web servers or other servers on Linux use GnuTLS. On my system (a fairly complete and functional Linux install), the only user programs using GnuTLS are lftp (a command-line ftp client), TigerVNC (VNC client/server), Wireshark (ethernet sniffer), CUPS (printer drivers), and libvirt (virtualization support). If I were still using mutt (terminal-based email client), that would have been affected. The vast majority of programs use openssl or NSS for TLS support.The bug was published on Feb. 25 by the GnuTLS author, patched on Feb. 26, and included in official GnuTLS releases on March 3. https://bugzilla.redhat.com/show_bug.cgi?id=1069865I am confused why Jill would state that Red Hat Enterprise needs to be manually patched. This is completely untrue. Red Hat Enterprise installations receive automatic software updates just like Ubuntu and Mint. In fact, updates for Red Hat are already published on the update servers; Ubuntu and Mint (as of this writing) have not published their updates yet.
  • 6 Hide
    mamasan2000 , March 4, 2014 9:56 PM
    "Both bugs also appear to result from simple human error on the part of software coders."As opposed to monkeys? Who else codes programs?
  • -3 Hide
    rokit , March 4, 2014 10:38 PM
    That was a critical flaw? It was fixed in 1 day! Jeez, you MS/Apple fanboys are slow. Try harder.
  • 2 Hide
    itsnotmeitsyou , March 4, 2014 10:40 PM
    Quote:
    "Both bugs also appear to result from simple human error on the part of software coders."As opposed to monkeys? Who else codes programs?
    NSA monkeys. I know they said it was error, but wouldnt be surprised if the NSA has been cashing in on this one for some time.
  • 9 Hide
    xroe , March 4, 2014 11:52 PM
    Quote:
    You'll note that this critical flaw was fixed the very same day. You Microsloth fanboys WON'T get that kind of speed from Microsloth to fix a critical error. Linux remains to be one of if not the BEST OS bar none. And it's free unlike Microsloth Winbloze.
    I'm sorry but the way you capitalize and make a point to rename everything to do with Microsoft makes me think of you as nothing more then a troll. It's good and all to support what you believe in but really, "Microsloth and Winbloze"? That makes you sound like a child.
  • 3 Hide
    sam_p_lay , March 5, 2014 1:44 AM
    Quote:
    I'm sorry but the way you capitalize and make a point to rename everything to do with Microsoft makes me think of you as nothing more then a troll. It's good and all to support what you believe in but really, "Microsloth and Winbloze"? That makes you sound like a child.
    My thoughts exactly.
  • 5 Hide
    Spad7 , March 5, 2014 3:11 AM
    Quote:
    That was a critical flaw? It was fixed in 1 day! Jeez, you MS/Apple fanboys are slow. Try harder.
    "Even worse, this bug may have existed in the code since 2005." Not an Apple or MS fanboy . . . but I'm not a Linux fanboy either.
  • -2 Hide
    spookyman , March 5, 2014 4:56 AM
    We can thank our NSA for developing ways to crack our security certs
  • 3 Hide
    ddpruitt , March 5, 2014 5:00 AM
    This isn't a Linux thing per se, GnuTLS is a library that just happens to be used more on Linux systems than elsewhere. It also shouldn't be compared with Apple's bug. Other than the fact that both should have been caught with proper testing or code reviews they're different animals. In this case it's obvious it was coded using the Cowboy method of software engineering, the wrong piece of code was called after a failure. It can be don with gotos, function calls, or objects. Looking at the past it looks like a number of people advised against using GnuTLS because the maintainers used poor programming practices while obviously unaware of them. Looks they were right.I think both of these cases show that we've been giving degrees to coders rather than real engineers, and why you should be willing to pay for a real engineer.
  • 0 Hide
    JD88 , March 5, 2014 5:18 AM
    Already fixed in Ubuntu. (Same day)
  • 5 Hide
    Brian Moose , March 5, 2014 6:48 AM
    SteamOS isn't based off of Ubuntu, it's based off of Debian.
  • 0 Hide
    Zetto , March 5, 2014 8:24 AM
    Quote:
    You'll note that this critical flaw was fixed the very same day. You Microsloth fanboys WON'T get that kind of speed from Microsloth to fix a critical error. Linux remains to be one of if not the BEST OS bar none. And it's free unlike Microsloth Winbloze.
    Uh, what? "Even worse, this bug may have existed in the code since 2005"And everyone knows the best coders don't need or accept a paycheck. Right son, carry on in your fantasy land then.
  • 2 Hide
    damianrobertjones , March 5, 2014 8:35 AM
    Quote:
    we know of companies that have lost millions because of this bug.
    Yeah, ok, what happened to the backups? What happened to TESTING software in a VM environment. I find it difficult to accept your comment.
  • 2 Hide
    ddpruitt , March 5, 2014 3:38 PM
    Quote:
    Quote:
    we know of companies that have lost millions because of this bug.
    Yeah, ok, what happened to the backups? What happened to TESTING software in a VM environment. I find it difficult to accept your comment.
    Don't know why this go downvoted, but I agree. You don't lose data due to a bug unless you're doing something else wrong. Google shows that this issued did exist on Server 2008 but a hotfix was released for it and that anyone who had backups was fine. To top it off it's a strange corner condition that only shows up with a sysadmin being lazy IMHO (Move it yourself don't have the OS do it, that always screws stuff up).
Display more comments
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS