A vulnerability (CVE-2014-3466) in the GnuTLC cryptographic code library has been discovered which affects Linux users and numerous open source packages.

The vulnerability is caused by the way GnuTLS parses the session ID from the server response during a TLS handshake. A malicious server could use the flaw to send an excessively long session id value, triggering a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or possibly execute code.

According to Craig Young, Senior Security Researcher for Tripwire’s Vulnerability and Exposures Research Team (VERT):

If you are using a client application which uses the vulnerable software, a malicious server could essentially load a new program onto your computer with access to whatever you have access to.  Since this portion of the SSL handshake is not encrypted, it would also be possible to use a man-in-the-middle attack to trigger the vulnerability.

Someone could likely write reliable exploits on a target specific basis but a general ‘one exploit to pwn them all’ for this bug seems less likely for any modern Linux due to the prevalence of ASLR/DEP/SELinux.  Under these conditions an exploit writer would likely use return oriented programming (ROP) which requires knowledge of where specific instructions are in memory of the target system.  It might even require a secondary bug to disclose information required for the payload.

Although there has not been any active exploits reported yet taking advantage of the exploit, it is recommended that systems are updated with the patch now available for most Linux distributions using the library.

Categories:

Tags: , , , , , , , , ,


Leave a Reply

Ken Westin

Ken Westin has contributed 89 posts to The State of Security.

View all posts by Ken Westin >