1.11M Members

Red Hat Risk Reflex (The Linux Security Flaw That Isn't)

 
2
 

News headlines screaming that yet another Microsoft Windows vulnerability has been discovered, is in the wild or has just been patched are two a penny. Such has it ever been. News headlines declaring that a 'major security problem' has been found with Linux are a different kettle of fish. So when reports of an attack that could circumvent verification of X.509 security certificates, and by so doing bypass both secure sockets layer (SSL) and Transport Layer Security (TLS) website protection, people sat up and took notice. Warnings have appeared that recount how the vulnerability can impact upon Debian, Red Hat and Ubuntu distributions. Red Hat itself issued an advisory warning that "GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification... An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid." In all, at least 200 operating systems actually use GnuTLS when it comes to implementing SSL and TLS and the knock-on effect could mean that web applications and email alike are vulnerable to attack. And it's all Linux's fault. Or is it?

The problem with all of this would appear to have started with the best intentions; a programmer working for Red Hat discovered the flaw and Red Hat then issued that advisory which suggested users apply a product update to fix it. All good stuff, with a quick discovery and time to patch ratio. The problem itself, or at least the problem I have here, would more accurately be with the reporting of the flaw. The Internet social media grapevine, Linux and general IT discussion forums, security vendors and before any time at all publications which should know better, all started claiming that this was a Linux bug. A bug, a flaw, with Linux that has been in place for longer than 10 years no less. Linux is flawed, Linux is dangerous, Linux is not as secure as fanboys would have you believe. What a load of rot!

This flaw is very similar indeed to the recent one involving Apple's iOS encryption bug in that it involves the goto command. In the iOS case it was, as I understand it, just a single goto fail command that screwed things up, whereas as far as Linux is concerned it is a whole series of goto cleanup calls that have errors. Here's the thing though, these errors are in the GnuTLS library. This library has been an accepted part of the Linux OS for years now, and Red Hat in particular which is so often used as a web server OS, and so surprise has been expressed by many (quite rightly) at how it could go undetected so long in an open source OS. The big security positive argued when it comes to any open source product is that anyone can access the source code and test any part of it at will, which should mean that security flaws are that much harder to escape attention. I'm with those who say it's a glaring error that the GnuTLS library wasn't checked until now, allowing this error to go unnoticed and available to anyone who might have spotted it and wanted to exploit it for criminal gain. That's a given. What isn't a given, in my opinion, is saying that Linux itself is flawed. That the Linux OS has a major security problem.

Actually, the library (which is maintained by a separate group to the Linux OS one) has a major security problem. The library which isn't used just by Linux distributions (which have patched against the vulnerability) and so the claim of it being a Linux problem are not really valid. Maybe I am splitting hairs here, and let me just state that as a Windows, Android and iOS user but not a Linux one I certainly have no fanboy axe to grind, but this sounds a lot like those who would blame Internet Explorer or Microsoft for an Adobe Reader vulnerability...

Member Avatar
Davey Winder

I'm a hacker turned writer and consultant, specialising in IT security. I've been a freelance word punk for over 20 years and along the way I have seen 23 of my books published, produced and presented programmes for TV and radio, picked up a bunch of awards and continue being a contributing editor with PC Pro - the best selling IT magazine in the UK .

 
1
 

"This library has been an accepted part of the Linux OS for years now, and Red Hat in particular which is so often used as a web server OS, and so surprise has been expressed by many (quite rightly) at how it could go undetected so long in an open source OS."

Just a note to prevent anyone drawing the wrong conclusion from this: RH OSes don't usually use gnutls for web server security. We provide the Apache modules for all three major SSL/TLS libraries - mod_security (OpenSSL), mod_gnutls (gnutls) and mod_nss (NSS). mod_security is the one you're most likely to wind up with if you don't make an explicit choice. Your webserver is obviously only vulnerable to this exploit if you're using mod_gnutls (and you haven't installed the update yet).

 
1
 

Actually it's mod_ssl -- mod_security is another (non SSL) module entirely.

 
0
 

Thanks both for making that clearer than I did :)

Isn't it about time forums rewarded their contributors?

Earn rewards points for helping others. Gain kudos. Cash out. Get better answers yourself.

It's as simple as contributing editorial or replying to discussions labeled or OP Kudos

You
This is an OP Kudos discussion and contributors may be rewarded
Post:
Start New Discussion
View similar articles that have also been tagged: