Critical GnuTLS Flaw Leaves SSL Clients Vulnerable to Remote Code Execution

GnuTLS, a widely used open source SSL/TLS cryptographic library is vulnerable to a buffer overflow vulnerability that could be exploited to crash TLS clients or potentially execute malicious code on underlying systems.

The GnuTLS library implements secure sockets layer (SSL) and transport layer security (TLS) protocols on computers, servers, and softwares to provide encrypted communications over insecure channels.

The bug (CVE-2014-3466) was independently discovered by Joonas Kuorilehto of security firm Codenomicon, the same security firm who discovered the biggest Internet vulnerability, Heartbleed. Unlike Heartbleed, the GnuTLS library is not as widely deployed as OpenSSL.

The GnuTLS Vulnerability resides in the way GnuTLS parses the session ID from the server response during a TLS handshake. It does not check the length of session ID value in the ServerHello message, which allows a malicious server to send an excessively long value in order to execute buffer overflow. Reported Flaw could be exploited by sending payload code from malicious server to clients as they establish encrypted HTTPS connections.

Heartbleed could be exploited from both sides i.e. Server (the computer connected to) or the Client (i.e. the computer that initiated the connection), whereas the GnuTLS Remote Code Execution vulnerability will only works from the server to a connecting client.

Red Hat has already issues a patch for this vulnerability as “A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake,” and its Bug Tracker explained: “A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code.”

"_The flaw is in read_server_hello() / gnutls_read_server_hello(), where session_id_len is checked to not exceed incoming packet size, but not checked to ensure it does not exceed maximum session id length.”

Radare blog also published an in-depth technical analysis including the proof-of-concept of the this vulnerability, which indicates that it can be exploited by any threat actor to execute any type of malicious code. While, the GnuTLS project has already issued updated version 3.1.25, 3.2.15 and 3.3.3 in order to patch the vulnerability.