Linux now affected by Heartbleed-esque bug

Data Jimmy Nicholls

10:55, June 5 2014


Debian, Red Hat and Ubuntu software packages all at risk.

Linux has been hit by a Heartbleed-esque bug affecting more than 350 software packages across various distributions including Debian, Red Hat and Ubuntu.

The exploit is said to lie in its GnuTLS library, a free version of TLS/SSL security layer encryption akin to the OpenSSL technology that generated the Heartbleed bug.

Red Hat said: "A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code."

A buffer overflow can occur when data writing overruns the region where temporary data is stored, overwriting adjacent memory and leading to strange behaviour from programmes, including security problems and software crashes.

The GnuTLS library was exposed to a serious vulnerability last March allowing hackers to fake security certificates, prompting a scramble to fix the issue from developers.

While the current problem was patched last week, fixes need to be implemented in dependent software to ensure systems remain secure.

Hugh Thompson of security firm Blue Coat previously predicted Heartbleed would have a "long tail" in an interview with CBR last month, foresight that was confirmed last week by Cupid, the so-called "Son of Heartbleed", which affected Linux and Android users.

"I definitely wouldn't advise against open source software," he added. "[But] I think it's a very interesting call to action for open source committees."

The vulnerability was discovered by Codenomicon, the same company that uncovered the Heartbleed bug in OpenSSL, with principal analyst Joonas Kuorilehto credited with reporting the problem.

Source: Company Press Release


Post a comment

Comments may be moderated for spam, obscenities or defamation.