A security flaw in a key cryptographic program has been revealed in the Linux gnuTLS package, an optional component for third-party bitcoin and altcoin client applications.
The gnuTLS SSL library is included in many open-source packages such as those in Red Hat, Ubuntu and Debian distributions of Linux.
Originally discovered during an audit of gnuTLS for Red Hat, the effects of the flaw are wide-reaching for developers.
Explained Ars Technica in its report:
“[The] attacks circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library.”
The bug, the source explains, is the result of commands in a section of the gnuTLS code that handle certificate verification. Estimates suggest the error could have been introduced as far back as 2005, though it was discovered on 4th March.
Further, more than 200 different operating systems and apps could be affected.
GnuTLS bug REALLY BAD: bypass SSL, TLS over 200 different OS’s, Apps that rely on GnuTLS for SSL and TLS operations http://t.co/Tj7nA9R0ih
— Team Cymru (@teamcymru) March 5, 2014
The flaw, which involves errors with several “goto cleanup” calls, is potentially dangerous as it effectively allows someone to perform a “man in the middle attack”, by which encrypted communications between a client and the web server can be exploited with specially crafted certificates.
Wrote Red Hat in its assessment:
“An attacker could use this flaw to create a specially crafted certificate that could be accepted by gnuTLS as valid for a site chosen by the attacker.”
Impact on bitcoin users
Despite the alarm the bug has raised in the wider tech community, bitcoin lead developer Jeff Garzik told CoinDesk that the issue is unlikely to have a substantial impact on bitcoin, though some will be affected.
Explained Garzik:
“The gnuTLS bug is pretty bad, but very few use gnuTLS in the bitcoin community. OpenSSL is standard.”
Garzik indicated that the use of OpenSSL mitigates a fork risk that is present when using other competing libraries for key software, such as gnuTLS.
He also stated that projects using OpenSSL, Mozilla NSS, Crypto++ or another crypto library are not impacted by the bug. Anyone who has compiled Bitcoind against this SSL package, however, would have an implementation that was vulnerable, he noted.
Ankur Nandwani, a developer at Bitmonet, suggested hosted wallet users and the users of bitcoin exchanges would be most affected, but stated that there are easy protections to prevent issues.
“In both cases, an attacker can sniff users credentials, when users are trying to log-in to their account. To reduce the probability of online wallets and exchange credentials from being compromised, it is really important that everyone use two-factor authentication.”
Nandwani said that the bug is evidence that bitcoin users should reduce their reliance on online wallets and exchanges.
Implementing a fix
The gnuTLS team has since announced an update to account for the flaw, one bitcoin and altcoin users and developers in need of the fix can now upgrade to. Red Hat indicated that gnuTLS users should upgrade their packages to correct the issue, and indicated that all applications linked to the gnuTLS library must be restarted for the update to take place.
Though mistakes are resolved in version 3.2.12, they still linger among those in the public, which has invoked comparisons to other extreme errors in coding flaw history.
Gnu has an even worse networking security flaw than Apple had… And since 2005… http://t.co/iiuxG10XdK
— JoergR (@JoergR) March 5, 2014
For the full explanation of the error and how to proceed if you’re affected, click here.
Image credit: Computer code via Shutterstock