Red Hat Risk Reflex (The Linux Security Flaw That Isn't)


News headlines screaming that yet another Microsoft Windows vulnerability has been discovered, is in the wild or has just been patched are two a penny. Such has it ever been. News headlines declaring that a 'major security problem' has been found with Linux are a different kettle of fish. So when reports of an attack that could circumvent verification of X.509 security certificates, and by so doing bypass both secure sockets layer (SSL) and Transport Layer Security (TLS) website protection, people sat up and took notice. Warnings have appeared that recount how the vulnerability can impact upon Debian, Red Hat and Ubuntu distributions. Red Hat itself issued an advisory warning that "GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification... An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid." In all, at least 200 operating systems actually use GnuTLS when it comes to implementing SSL and TLS and the knock-on effect could mean that web applications and email alike are vulnerable to attack. And it's all Linux's fault. Or is it?

The problem with all of this would appear to have started with the best intentions; a programmer working for Red Hat discovered the flaw and Red Hat then issued that advisory which suggested users apply a product update to fix it. All good stuff, with a quick discovery and time to patch ratio. The problem itself, or at least the problem I have here, would more accurately be with the reporting of the flaw. The Internet social media grapevine, Linux and general IT discussion forums, security vendors and before any time at all publications which should know better, all started claiming that this was a Linux bug. A bug, a flaw, with Linux that has been in place for longer than 10 years no less. Linux is flawed, Linux is dangerous, Linux is not as secure as fanboys would have you believe. What a load of rot!

This flaw is very similar indeed to the recent one involving Apple's iOS encryption bug in that it involves the goto command. In the iOS case it was, as I understand it, just a single goto fail command that screwed things up, whereas as far as Linux is concerned it is a whole series of goto cleanup calls that have errors. Here's the thing though, these errors are in the GnuTLS library. This library has been an accepted part of the Linux OS for years now, and Red Hat in particular which is so often used as a web server OS, and so surprise has been expressed by many (quite rightly) at how it could go undetected so long in an open source OS. The big security positive argued when it comes to any open source product is that anyone can access the source code and test any part of it at will, which should mean that security flaws are that much harder to escape attention. I'm with those who say it's a glaring error that the GnuTLS library wasn't checked until now, allowing this error to go unnoticed and available to anyone who might have spotted it and wanted to exploit it for criminal gain. That's a given. What isn't a given, in my opinion, is saying that Linux itself is flawed. That the Linux OS has a major security problem.

Actually, the library (which is maintained by a separate group to the Linux OS one) has a major security problem. The library which isn't used just by Linux distributions (which have patched against the vulnerability) and so the claim of it being a Linux problem are not really valid. Maybe I am splitting hairs here, and let me just state that as a Windows, Android and iOS user but not a Linux one I certainly have no fanboy axe to grind, but this sounds a lot like those who would blame Internet Explorer or Microsoft for an Adobe Reader vulnerability...

About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

AdamWill 0 Newbie Poster

"This library has been an accepted part of the Linux OS for years now, and Red Hat in particular which is so often used as a web server OS, and so surprise has been expressed by many (quite rightly) at how it could go undetected so long in an open source OS."

Just a note to prevent anyone drawing the wrong conclusion from this: RH OSes don't usually use gnutls for web server security. We provide the Apache modules for all three major SSL/TLS libraries - mod_security (OpenSSL), mod_gnutls (gnutls) and mod_nss (NSS). mod_security is the one you're most likely to wind up with if you don't make an explicit choice. Your webserver is obviously only vulnerable to this exploit if you're using mod_gnutls (and you haven't installed the update yet).

Chris_22 0 Newbie Poster

Actually it's mod_ssl -- mod_security is another (non SSL) module entirely.

happygeek 2,411 Most Valuable Poster Team Colleague Featured Poster

Thanks both for making that clearer than I did :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of 1.20 million developers, IT pros, digital marketers, and technology enthusiasts learning and sharing knowledge.