Crypto Error Leaves Hundreds of Applications Open to Fake Certificates

Status
Not open for further replies.

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
A crypto error in the GnuTLS library has made hundreds of software packages vulnerable to fake security certificates.
GnuTLS provides support for cryptographic algorithms like SSL and for protocols such as Transport Layer Security (TLS). An open-source offering, it’s used by a wide range of desktop and server products, including Linux, Debian and Ubuntu distributions to verify digital certificates. Its widespread deployment is an Achilles heel in the case of a flaw being uncovered, which is exactly what’s happened.

Researchers at Red Hat have discovered that GnuTLS does not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw (CVE-2014-0092) to create a specially crafted and very fake certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker.

In other words, any site or application that uses GnuTLS to authenticate certificates is at risk for exploit.

The news comes just days after Apple patched a similar issue that exposed iOS and OS X users to similar man-in-the-middle attacks. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake. This enables an adversary to masquerade as coming from a trusted remote endpoint, such as a favorite webmail provider, and perform full interception of encrypted traffic between the user and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of a system).

Read more: http://www.infosecurity-magazine.co...ds-of-applications-open-to-fake-certificates/
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top