The open source GnuTLS cryptographic library is in the news again for a security flaw that could put many Linux distribution users at risk from attack. The issue comes just a few months after the Heartbleed flaw in OpenSSL enabled the surveillance and theft of server transmissions. It is also the second major setback for GnuTLS this year, following an SSL/TLS bypass exploit discovered in early March.
Open source software development has unique risks. Many developers, covering a full range of skill levels, contribute to projects, but there is often minimal incentive, financially or otherwise, to constantly vet code for security risks. Issues are often discovered after the fact. Enterprises can avoid a similar situation by using a commercial test management solution and testing metrics to streamline quality assurance processes and ensure efficient collaboration.
GnuTLS Bug Can Mess Up HTTPS Requests
The new GnuTLS bug was discovered in late May and has already been patched. However, due to the hundreds of distributions that rely on it and the respective ways in which they implement it, it may take time for them fix to make the rounds and issue to subside.
On a technical level, the flaw enables delivery of malicious data during establishment of HTTPS connections, which could then result in arbitrary execution of code. Overall, users of unpatched GnuTLS implementations could be vulnerable to drive-by attacks that would give off no signs, other than possibly a crash, that a hijacking was under way.
"A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake," stated a post on Red Hat Bug Tracker. "A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or possibly execute arbitrary code."
It is unknown whether the bug has been in the GnuTLS for some time or introduced only recently. The GnuTLS vulnerability that was brought to light last March may have been present for almost nine years, underscoring the potential for major flaws to go undetected even in large-scale open source projects. That one enabled makers of counterfeit certificates to get GnuTLS to deem them legitimate.
Beyond GnuTLS and Heartbleed, the creators of open source TrueCrypt recently posted a warning that their library was no longer secure. Major projects such as Network Time Protocol, OpenSSL and OpenSSH, while vital to general Internet security, have historically been underfunded, creating risks of issues going unaddressed due to constraints on time and finances. Both Network Time Protocol and OpenSSL have been subject to targeted exploitation this year. It is instances like these that bolster the argument that having a commercial testing system and testing metrics is inevitable
Continuous collaboration is indeed vital to the product development and software testing industry’s well being; which is why it definitely needs a solid technical and procedural underpinnings. It is important to note that only a robust test management system which facilitates easy reuse of scenarios, as well as integration with a wide range of tools via APIs, make coordination of projects highly efficient.