Newest vulnerability in open source cryptographic library exposes Linux clients
The latest vulnerability in the popular GnuTLS library places Linux clients at risk of being compromised by servers they connect to. GnuTLS is an open source alternative to the OpenSSL library, which, earlier this year was responsible for the now-infamous HeartBleed bug. While the HeartBleed bug was proven to disclose sensitive keys from memory, the GnuTLS bug is a different class of vulnerability. GnuTLS is not as widely used as OpenSSL and unlike HeartBleed, this vulnerability only affects client connections.
The GnuTLS bug results from an uncheck boundary when processing a session ID. This leads to a classic buffer overflow condition in which memory can be overwritten unintentionally. A buffer overflow is a class of memory corruption vulnerability that is very commonly used in exploits. It is speculated that this bug can be exploited to gain arbitrary code execution; however, no stable public exploit has been released at this time.
RedHat is credited with discovering the vulnerability and all affected users are urged to update their installations of GnuTLS to the latest versions which are 3.1.25, 3.2.15 and 3.3.3.