The similarities between the GnuTLS bug and Apple’s goto fail bug begin and end at their respective failure to verify TLS and SSL certificates. Otherwise, they’re neither siblings, nor distant cousins.
The GnuTLS bug is very different, though like Apple’s infamous goto fail error, it will also treat bogus digital certificates as valid.
“It allows someone to impersonate a trusted website, which as far as TLS/SSL goes is the attacker’s Holy Grail,” said cryptographer Matthew Green of Johns Hopkins University. “This one was more of a dumb coding mistake, whereas Apple could have been a cut-and-paste error. It looks like [GnuTLS] failed to cast a return variable correctly. C is hard.”
In both cases, an attacker with man-in-the-middle positioning can intercept traffic and introduce an invalid digital certificate, which because of shoddy coding errors in both software packages, will be checked off as legitimate.
While the goto command appears in the buggy code in both vulnerabilities, the GnuTLS bug veers off in a different direction. Goto fail, for example is a standard C paradigm for error handling. Goto, in this case, is being used correctly, said Melissa Elliott, a security researcher with Veracode. The problem, she said, is related to variable typing and an improper mixing of error codes that led to this mess.
Elliott said the faulty code snippet in question is supposed to return either a true or false variable depending on whether the certificate is valid; this paradigm is called Boolean return code. The GnuTLS bug, however, returns specific error codes identified by negative numbers, each signifying something different, she said.
“The mistake was that when one of these functions returned an error, it would be treated as though it were Boolean without changing the actual number. Under Boolean rules, anything that is not a zero is ‘true,'” Elliott said. “Hence, an error meant to indicate failure would be passed up the chain as ‘true’ (no error) instead of ‘false’ (error).”
The GnuTLS bug was uncovered during a recent audit requested by Linux distributor Red Hat. GnuTLS is the SSL and TLS implementation used by hundreds of software packages, including many flavors of Red Hat Enterprise Linux, and all Debian and Ubuntu distributions. Core crypto and mail libraries such as libcrypt and libmailutils, and cURL are affected. GnuTLS is not as widely implemented as OpenSSL, nor is it deployed on a mainstream iOS device, for example, but it is well deployed in Linux and open source applications.
Elliott said the GnuTLS bug is exploitable in ways other than a man-in-the-middle attack as is the case with Apple’s goto fail bug,
“For example, if you had someone else’s certificate stored on your personal computer, and a program tried to check that it was valid with reference to the locally trusted CAs (certificate authorities), it could receive the wrong answer,” Elliott said.
Johns Hopkins’ Green said insufficient code review and testing likely allowed the GnuTLS bug to slip through.
“This stuff is hard. Clearly people need to run their TLS implementations through test harnesses and tools that may not exist yet,” Green said, adding that decent TLS code scanners are lacking.
Elliott agreed.
“It is distressingly easy to accidentally write a bug like this. It does not cause anything to crash. Full-featured C compilers can warn you about this bug, but the false positive rate (that is, instances where it can’t possibly do any harm) is high enough that most programmers are inclined to ignore them,” Elliott said. “Unfortunately, this is security-sensitive code, so the consequences of missing the one important warning in a list of benign ones can be catastrophic.”
GnuTLS issued an advisory, confirming the vulnerability and urges users to upgrade to the latest GnuTLS version 3.2.12 or 3.1.22 or to apply a patch for GnuTLS 2.12x.