On May 23rd, Nikos Mavrogiannopoulo (one of the primary authors of the GnuTLS library) submitted a commit identifying the potential for “memory corruption” during the TLS/SSL handshake process. This specific bug makes it possible to initiate a server-based attack on a client system by corrupting its memory using a specially crafted ServerHello message.
The GnuTLS library is included in number of Linux distributions, including Red Hat, which classified the bug as having a High Severity. The security advisory released by the GnuTLS project recommends upgrading GnuTLS to version 3.1.25, 3.2.15 or 3.3.4 in response. Updating IDP signatures as they become available would also be advisable.
According to CSO, the hello bug was reported first by Joonas Kuorilehto of Codenomicon. Interestingly, Codenomicon was among the first companies to discover the Heartbleed vulnerability in the OpenSSL project’s implementation of SSL.
For those seeking a more detailed overview of the bug, there’s a phenomenal technical analysis of the GnuTLS hello vulnerability and an example exploit on the Radare blog.
Rick Kenney is a resident Senior Sales Engineer at Myriad Supply. He has over 10 years of experience leveraging technology to solve evolving business challenges.