Linux now affected by Heartbleed-esque bug


by Jimmy Nicholls| 05 June 2014

Debian, Red Hat and Ubuntu software packages all at risk.

Linux has been hit by a Heartbleed-esque bug affecting more than 350 software packages across various distributions including Debian, Red Hat and Ubuntu.

The exploit is said to lie in its GnuTLS library, a free version of TLS/SSL security layer encryption akin to the OpenSSL technology that generated the Heartbleed bug.

Red Hat said: "A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code."

A buffer overflow can occur when data writing overruns the region where temporary data is stored, overwriting adjacent memory and leading to strange behaviour from programmes, including security problems and software crashes.

The GnuTLS library was exposed to a serious vulnerability last March allowing hackers to fake security certificates, prompting a scramble to fix the issue from developers.

While the current problem was patched last week, fixes need to be implemented in dependent software to ensure systems remain secure.

Hugh Thompson of security firm Blue Coat previously predicted Heartbleed would have a "long tail" in an interview with CBR last month, foresight that was confirmed last week by Cupid, the so-called "Son of Heartbleed", which affected Linux and Android users.

"I definitely wouldn't advise against open source software," he added. "[But] I think it's a very interesting call to action for open source committees."

The vulnerability was discovered by Codenomicon, the same company that uncovered the Heartbleed bug in OpenSSL, with principal analyst Joonas Kuorilehto credited with reporting the problem.

Source: Company Press Release

Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

792 people like this.
2212 people follow this.

Security Intelligence

Suppliers Directory

See more
Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.