GnuTLS Patches Buffer Overflow

Monday, June 9, 2014 @ 11:06 AM gHale


Widely used open source SSL/TLS cryptographic library, GnuTLS, is vulnerable to a buffer overflow vulnerability that could crash TLS clients or execute malicious code on underlying systems.

The GnuTLS library implements secure sockets layer (SSL) and transport layer security (TLS) protocols on computers, servers, and software to provide encrypted communications over insecure channels.

RELATED STORIES
Patches Issued for Apache Tomcat
After False Start, Apache Struts Fixed
DoS Risk with Apache Tomcat Servers
DDoS Attacks Break Records

The bug (CVE-2014-3466), discovered by Joonas Kuorilehto of security firm Codenomicon, resides in the way GnuTLS parses the session ID from the server response during a TLS handshake, according to Kuorilehto’s report.

It does not check the length of session ID value in the ServerHello message, which allows a malicious server to send an excessively long value in order to execute buffer overflow. The issue could end up exploited by sending payload code from a malicious server to clients as they establish encrypted HTTPS connections.

This problem differs from Heartbleed, which could end up exploited from both sides i.e. Server (the computer connected to) or the Client (i.e. the computer that initiated the connection). The GnuTLS Remote Code Execution vulnerability will only work from the server to a connecting client.

Red Hat has already issued a patch for this vulnerability as “A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake.”

“A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code,” said the Bug Tracker blog

“The flaw is in read_server_hello() / _gnutls_read_server_hello(), where session_id_len is checked to not exceed incoming packet size, but not checked to ensure it does not exceed maximum session id length.”

Radare blog also published an in-depth technical analysis including the proof-of-concept of the this vulnerability, which shows the vulnerability can end up exploited by any threat actor to execute any type of malicious code. The GnuTLS project issued updated version 3.1.25, 3.2.15 and 3.3.3 in order to patch the vulnerability.



Leave a Reply

You must be logged in to post a comment.