Announcement

Collapse
No announcement yet.

GnuTLS vulnerability

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    GnuTLS vulnerability

    http://beta.slashdot.org/story/198965

    "According to this article at Ars Technica, '[A] bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package. Initial estimates included in Internet discussions such as this one indicate that more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations, but it wouldn't be surprising if the actual number is much higher. Web applications, e-mail programs, and other code that use the library are vulnerable to exploits that allow attackers monitoring connections to silently decode encrypted traffic passing between end users and servers.' The coding error may have been present since 2005."
    I don't have access to my machine at the moment, but if someone wouldn't mind testing this it could be interesting:

    Code:
    apt-cache whatdepends gnutls
    ...to see whether you're using GnuTLS.

    One of the comments on /. said that it's common in Xubuntu; another indicated Debian doesn't seem to use it. I'm curious about Kubuntu.

    Feathers
    samhobbs.co.uk

    #2
    Code:
    vinny@vinny-HP-G62:~$ apt-cache whatdepends gnutls
    E: Invalid operation whatdepends
    vinny@vinny-HP-G62:~$
    VINNY
    i7 4core HT 8MB L3 2.9GHz
    16GB RAM
    Nvidia GTX 860M 4GB RAM 1152 cuda cores

    Comment


      #3
      Ha!

      Please try this:

      Code:
      apt-cache whatdepends pkg gnutls
      Feathers
      samhobbs.co.uk

      Comment


        #4
        Code:
        vinny@vinny-HP-G62:~$ apt-cache rdepends gnutls
        E: No packages found
        vinny@vinny-HP-G62:~$
        VINNY
        i7 4core HT 8MB L3 2.9GHz
        16GB RAM
        Nvidia GTX 860M 4GB RAM 1152 cuda cores

        Comment


          #5
          Code:
          vinny@vinny-HP-G62:~$ apt-cache whatdepends pkg gnutls
          E: Invalid operation whatdepends
          vinny@vinny-HP-G62:~$
          VINNY
          i7 4core HT 8MB L3 2.9GHz
          16GB RAM
          Nvidia GTX 860M 4GB RAM 1152 cuda cores

          Comment


            #6
            Not sure if that's an error or just a good sign tbh!

            Is gnutls even in the repos? Perhaps the package is called something else...

            Code:
            apt-cache search gnutls
            samhobbs.co.uk

            Comment


              #7
              however
              Code:
              vinny@vinny-HP-G62:~$ apt-cache rdepends libgnutls26
              libgnutls26
              Reverse Depends:
                libavformat53
                wine-compholio
                wine-compholio
                xen-utils-4.1
                vlc-nox
                rsyslog-gnutls
                python-gnutls
                libavformat-extra-53
                chromium-browser
                vino
                telepathy-gabble
                qemu-kvm
                lynx-cur
                libvirt0
                libvirt-bin
                libimobiledevice3
                libgnutlsxx27
                libgnutls26-dbg
                libgnutls-openssl27
                libgnutls-dev
                libgcrypt11
                libgadu3                                                                                                                                                                                      
                libcurl3-gnutls                                                                                                                                                                               
                libcups2                                                                                                                                                                                      
                libavformat53                                                                                                                                                                                 
                gnutls-bin                                                                                                                                                                                    
                exim4-daemon-light                                                                                                                                                                            
                exim4-daemon-heavy
                cups
                xxxterm
                xfce4-mailwatch-plugin
                xen-utils-4.1
                wzdftpd
                wmbiff
                wine1.4-i386
                weechat-curses
                weechat-core
                webfs
                vpnc
                vlc-nox
                sogo
                shishi-kdc
                scrollz
                rsyslog-gnutls
                qutim
                qemu-system
                python-gnutls
                proxytunnel
                prelude-manager
                postal
                plasma-widget-mail
                pianobar
                pacemaker-mgmt-client
                pacemaker-mgmt
                openconnect
                nzbget
                nullmailer
                ngircd
                newsbeuter
                mutt-patched
                msmtp-gnome
                msmtp
                mpop-gnome
                mpop
                minbif
                mandos-client
                libyaz4
                libxmlsec1-gnutls
                libwireshark2
                libvmime0
                libucommon5
                libsope1
                libshishi0
                libprelude2
                libopenvasnasl2-dev
                libopenvasnasl2
                libopenvas2
                libopenconnect2
                libnussl1
                libnet6-1.3-0
                libmicrohttpd10
                libmailutils4
                libloudmouth1-0
                libinfinity-0.5-0
                libinfgtk3-0.5-0
                libiksemel3
                libgwenhywfar60
                libgnustep-base1.22
                libgloox8
                libggz2
                libgensec0
                libevd-0.1-0
                libetpan15
                libepc-1.0-3
                libeet1
                libecore-con1
                libavformat-extra-53
                libapache2-mod-gnutls
                kildclient
                jd
                ircd-ratbox
                inspircd
                infinoted
                gurlchecker
                gtk-gnutella
                gsasl
                gnu-smalltalk
                gnomint
                gkrellm
                freewheeling
                freetds-bin
                filezilla
                emacs24-lucid
                elinks-lite
                elinks
                ekg2-remote
                ekg2-jabber
                echoping
                csync2
                claws-mail
                charybdis
                centerim-utf8
                centerim-fribidi
                centerim
                bitlbee-libpurple
                bitlbee
                aria2
                anubis
                aiccu
                abiword
                vino
                telepathy-salut
                telepathy-gabble
                tdsodbc
                qemu-kvm
                pacemaker
                ntfs-3g
                mutt
                lynx-cur
                libvncserver0
                libvirt0
                libvirt-bin
                libsybdb5
                librtmp0
                libneon27-gnutls
                libldap-2.4-2
                libimobiledevice3
                libgvnc-1.0-0
                libgnutlsxx27
                libgnutls26-dbg
                libgnutls-openssl27
                libgnutls-dev
                libgnomevfs2-0
                libgcrypt11
                libgadu3
                libcurl3-gnutls
                libcups2
                libct4
                libcrmcommon2
                libcib1
                libavformat53
                lftp
                gnutls-bin
                glib-networking
                exim4-daemon-light
                exim4-daemon-heavy
                empathy
                emacs24-nox
                emacs24
                cups
              vinny@vinny-HP-G62:~$
              VINNY
              i7 4core HT 8MB L3 2.9GHz
              16GB RAM
              Nvidia GTX 860M 4GB RAM 1152 cuda cores

              Comment


                #8
                and
                Code:
                vinny@vinny-HP-G62:~$ apt-cache search gnutls
                gnutls-bin - GNU TLS library - commandline utilities
                gnutls-doc - GNU TLS library - documentation and examples
                libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours)
                libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
                libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour)
                libgnutls-dev - GNU TLS library - development files
                libgnutls-openssl27 - GNU TLS library - OpenSSL wrapper
                libgnutls26 - GNU TLS library - runtime library
                libgnutls26-dbg - GNU TLS library - debugger symbols
                libgnutlsxx27 - GNU TLS library - C++ runtime library
                libneon27-gnutls - HTTP and WebDAV client library (GnuTLS enabled)
                libneon27-gnutls-dbg - Detached symbols for libneon27 (GnuTLS enabled)
                libneon27-gnutls-dev - Header and static library files for libneon27 (GnuTLS enabled)
                libsoup-gnome2.4-1 - HTTP library implementation in C -- GNOME support library
                libsoup-gnome2.4-dev - HTTP library implementation in C -- GNOME support development files
                libsoup2.4-1 - HTTP library implementation in C -- Shared library
                libsoup2.4-dbg - HTTP library implementation in C -- debugging symbols
                libsoup2.4-dev - HTTP library implementation in C -- Development files
                libsoup2.4-doc - HTTP library implementation in C -- API Reference
                python-pycurl - Python bindings to libcurl
                python-pycurl-dbg - Python bindings to libcurl (debug extension)
                python3-pycurl - Python 3 bindings to libcurl
                python3-pycurl-dbg - Python 3 bindings to libcurl (debug extension)
                cadaver - command-line WebDAV client
                dsyslog-module-gnutls - advanced modular syslog daemon - GnuTLS support
                guile-gnutls - GNU TLS library - GNU Guile bindings
                libapache2-mod-gnutls - Apache module for SSL and TLS encryption with GnuTLS
                libapr-memcache-dev - memcache client library development files
                libapr-memcache0 - memcache client library
                libghc-gnutls-dev - bindings for GNU TLS
                libghc-gnutls-doc - bindings for GNU TLS; documentation
                libghc-gnutls-prof - bindings for GNU TLS; profiling libraries
                libgnutls28 - GNU TLS library - main runtime library
                libgnutls28-dbg - GNU TLS library - debugger symbols
                libgnutls28-dev - GNU TLS library - development files
                libgnutlsxx28 - GNU TLS library - C++ runtime library
                libjs-strophe - Library for writing XMPP clients
                libwww-curl-perl - Perl bindings to libcurl
                libxmlsec1-gnutls - Gnutls engine for the XML security library
                mailutils-imap4d - GNU mailutils-based IMAP4 Daemon
                mailutils-pop3d - GNU mailutils-based POP3 Daemon
                mcrypt - Replacement for old unix crypt(1)
                python-gnutls - Python wrapper for the GNUTLS library
                rsyslog-gnutls - TLS protocol support for rsyslog
                tclcurl - Tcl bindings to libcurl
                vinny@vinny-HP-G62:~$
                VINNY
                i7 4core HT 8MB L3 2.9GHz
                16GB RAM
                Nvidia GTX 860M 4GB RAM 1152 cuda cores

                Comment


                  #9
                  Try

                  apt-cache depends libgnutls28

                  apt-cache depends libgnutls26

                  and also use the "rdepends" switch.
                  "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                  – John F. Kennedy, February 26, 1962.

                  Comment


                    #10
                    Originally posted by GreyGeek View Post
                    Try

                    apt-cache depends libgnutls28

                    apt-cache depends libgnutls26

                    and also use the "rdepends" switch.
                    read down ,,,,,,did it

                    VINNY
                    i7 4core HT 8MB L3 2.9GHz
                    16GB RAM
                    Nvidia GTX 860M 4GB RAM 1152 cuda cores

                    Comment


                      #11
                      From a regular update today on 13.10:

                      Code:
                      Tue, Mar  4 2014 15:55:44 -0500
                      
                      IMPORTANT: this log only lists intended actions; actions which fail due to
                      dpkg problems may not be completed.
                      
                      Will install 2 packages, and remove 0 packages.
                      ===============================================================================
                      [UPGRADE] libgnutls-openssl27:amd64 2.12.23-1ubuntu4.1 -> 2.12.23-1ubuntu4.2
                      [UPGRADE] libgnutls26:amd64 2.12.23-1ubuntu4.1 -> 2.12.23-1ubuntu4.2
                      ===============================================================================

                      Comment


                        #12
                        Owch... chromium is affected!
                        samhobbs.co.uk

                        Comment


                          #13
                          Thanks for that ronw!

                          There's a quotation from Howard Chu of open LDAP 6 years ago that was discussed in the /. comments, which was quite interesting:

                          http://www.openldap.org/lists/openld.../msg00072.html

                          Looking across more of their APIs, I see that the code makes liberal use of strlen and strcat, when it needs to be using counted-length data blobs everywhere. In short, the code is fundamentally broken; most of its external and internal APIs are incapable of passing binary data without mangling it. The code is completely unsafe for handling binary data, and yet the nature of TLS processing is almost entirely dependent on secure handling of binary data.
                          Someone checked against the most recent, patched, GnuTLS source code:

                          Code:
                           find . -name '*.c' | xargs grep strlen | wc -l
                          522
                          
                          find . -name '*.c' | xargs grep strcat | wc -l
                          44
                          Bit over my head but that suggests that if it was a problem then it's still a problem now.
                          samhobbs.co.uk

                          Comment


                            #14
                            Ah, so you did. My apologies. (Believe it or not, your two searches at 6:39 were not in the msg list when I read this thread and responded at 6:42)

                            Anyway, here's the skinny, which the pissing contest on /. and ARS didn't reveal.
                            http://www.gnutls.org/security.html
                            It wasn't found in the wild, or by someone noticing a break-in.
                            The vulnerability was discovered during an audit of GnuTLS for Red Hat.
                            The audit was easy to do because the source code was open to all. That someone didn't notice it before, during the last 10 years, suggests that the bug is an edge case which isn't easily noticed.
                            How to mitigate the attack?
                            • Upgrade to the latest GnuTLS version (3.2.12 or 3.1.22), or apply the patch for GnuTLS 2.12.x.

                            Kubuntu 14.04 with the latest updates, as of 11AM CST, is running the 3.2.11-2ubuntu1 version, so an update is needed. I have no doubt that the update will come flying through to the repository and an automatic update ASAP.
                            "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                            – John F. Kennedy, February 26, 1962.

                            Comment

                            Working...
                            X