Red Hat programmer discovers major security flaw in Linux

Red Hat programmer discovers major security flaw in Linux7 hours ago by Bob Yirka

(Phys.org) —Programmer Nikos Mavrogiannopoulos who works for Red Hat, has discovered a major security problem with the Linux operating system—a bug that could allow a hacker to create a certificate that could bypass the normal authenticity checks. Red Hat sent out an immediate alert and suggests all those who use its product update their software with a fix they've made available.

Officially known as CVE-2014-0092, the bug appears to be a simple programming error—one that has been in a part of the Linux operating system for over a decade. More specifically, the bug involves GnuTLS's (a library of functions used for processing certificate requests) validation of X509 certificates. In many respects, the error appears to be similar to the "goto fail" security problem that cropped up in iOS and OS X recently. At issue in both cases is the infamous GOTO computer command which has been criticized by several high profile programmers for several years. Problems occur with it due to a programmer failing to consider one or more events. GOTO commands are called on demand, i.e. IF condition GOTO some other part of the code. The problem can be made worse if negative conditions are used because humans can't always think of every possible outcome.

In this instance, GOTO commands were being executed under certain conditions that allowed for bypassing certificate authentication, allowing unauthenticated certificates to be processed as if they were authentic. If a hacker discovered the flaw, they could cause their own certificates to be authenticated, allowing for decrypting data. That of course could impact a lot of users as Linux, especially the Red Hat version, is very commonly used as a web server operating system.

What is most surprising about the bug is that it went undetected for so long. Linux is an open source operating system which means thousands, if not millions, have access to the source code—every one of whom can test any part of it. That no one thought to independently test every part of the highly important GnuTLS's library seems almost unfathomable.

Now that the bug has been identified, fixes have been made in virtually all Linux variants, which users can download. Sadly, not everyone keeps up on such reports, however, which means the bug could very well live on in many web servers and others systems around the world for many years to come.

Explore further:Symantec discovers worm that targets systems running Linux—threat to other devices

More information:rhn.redhat.com/errata/RHSA-2014-0246.html

© 2014 Phys.org

More from Physics Forums - Computers

Related Stories

Symantec discovers worm that targets systems running Linux—threat to other devices

Dec 02, 2013

(Phys.org) —Antivirus company Symantec has announced that it has discovered a new worm on the loose—one that attacks vulnerabilities in computer systems running Linux. Thus far, they report, the threat is ...

International Space Station making laptop migration from Windows XP to Debian 6

May 12, 2013

(Phys.org) —The International Space Station has decided to switch dozens of laptops running Windows XP over to Debian. What Linux fans have been saying for years—that Linux delivers greater stability ...

Apple readies security fix for Mac after iOS flaw

Feb 24, 2014

Apple said Monday it was developing a security fix for its Mac OS X computer operating system after a patch released for its iPhones and iPads to thwart hacker attacks.

Bringing the world reboot-less updates

Jan 24, 2014

It's an annoyance for the individual computer user: You've updated your operating system, and now you need to reboot. This is so the computer can switch to the modified source code.

Valve releases both Steam Machine and SteamOS

Dec 16, 2013

(Phys.org) —Video game maker Valve Corporation has officially made SteamOS available for download for anyone who wishes to do so. At the same time, the company announced that it has also shipped Steam Machines ...

Linux camp has key to Windows 8 boot lockout

Oct 14, 2012

(Phys.org)—Microsoft's rocky reputation with the open source community was not exactly obliterated with hardware news surrounding the upcoming launch of the operating system, Windows 8. Systems will come ...

Recommended for you

Ubisoft to unleash 'Watch Dogs' video game in May

1 hour ago

Ubisoft said Thursday that it will unleash hacker-themed video game "Watch Dogs" on May 27 in what could turn a disappointing launch delay into a smart marketing move.

Mozilla to improve JPEG compression with mozjpeg tool

1 hour ago

(Phys.org) —Mozilla announced on Wednesday its new project to provide a production-quality JPEG encoder that improves compression. Project mozjpeg will bring better compression efficiency to JPEG, the popular ...

Iceland startup finds success with trivia app

2 hours ago

A small startup has taken the gaming world by storm, finding success with its QuizUp trivia app and spurning offers to abandon its remote Iceland headquarters in favor of California's Silicon Valley.

Shaq seeking funding for new 'Shaq Fu' video game

2 hours ago

Shaq wants to be back in a video game.

Video games target Japan's silver generation

13 hours ago

At a nursing home in suburban Tokyo, 88-year-old Saburo Sakamoto darts his fingers energetically to catch characters that appear on a touch screen in front of him.

Review: Apple's iWork brings simplicity to docs

Mar 05, 2014

Microsoft's Office is the go-to software package for creating and sharing documents, spreadsheets and presentations. Google's Docs has emerged as a good, free alternative for lightweight tasks. But what's often overlooked ...

User comments : 3

Adjust slider to filter visible comments by rank

Display comments: newest first

Eikka

not rated yet3 hours ago

every one of whom can test any part of it

Technically, but not practically speaking.

Extremely few people go around poking the source code of their operating system for fun without a pressing need - and even when they do it's a snowball's chance in hell they'll just stumble on the particular line of code that contains the bug amongs the millions of lines of code - assuming they're competent enough to notice or do anything about it in the first place.

It all takes time, money and effort, and unless you're paid to do it you probably just don't give a toss. Meanwhile, people who are trying to break into these systems do have the motivation and time, and often the money to spend the time poking around to see what breaks - and then tell nobody else about it.

That's why I find the Linus's law of "Many eyes make all bugs shallow" a load of rubbish because the eyes are blind. If there is a bug in open source software, chances are the black hats are going to find it first.

rjflory

not rated yet2 hours ago

Technically the problem is not with the operating system itself, but with an accessory library maintained by a completely different group. This library is also used by several other operating systems besides Linux.

To claim the problem is with the Linux operating system is akin to claiming a bug in the quicktime player or acrobat reader is the fault of microsoft- it isn't...

Bonia

not rated yet36 minutes ago

every one of whom can test any part of it... technically, but not practically speaking

IMO the possibility to compile and install network servers from source code is utilized with malicious network admins for introduction of their private backdoors much more often, than for reporting the errors to community. In Windows the system libraries are checked against their CRC codes during each start of Windows. Every attempt for replacement of some library with some private one not only is more difficult (as you have no access to source code), but the system recognizes it and replaces it by its original version from repository.

More news stories

Spotify snaps up The Echo Nest

Music streaming service Spotify announced Thursday it had acquired The Echo Nest, a company behind technology to suggest songs to listeners.

Groups seek privacy review of Facebook-WhatsApp tie-up

Two privacy activist groups asked US regulators Thursday to put on hold the Facebook acquisition of messaging service WhatsApp to ensure against misuse of user data.

Ubisoft to unleash 'Watch Dogs' video game in May

Ubisoft said Thursday that it will unleash hacker-themed video game "Watch Dogs" on May 27 in what could turn a disappointing launch delay into a smart marketing move.

Australian returned as head of world intellectual property body

An Australian lawyer and jurist, Francis Gurry, was Thursday renewed for a second term as chief of the UN's influential intellectual property agency based in Switzerland.

Mozilla to improve JPEG compression with mozjpeg tool

(Phys.org) —Mozilla announced on Wednesday its new project to provide a production-quality JPEG encoder that improves compression. Project mozjpeg will bring better compression efficiency to JPEG, the popular ...

ALMA sees icy wreckage in nearby solar system: Possible hidden planet causing rapid-fire cometary collisions

(Phys.org) —Astronomers using the Atacama Large Millimeter/submillimeter Array (ALMA) telescope have discovered the splattered remains of comets colliding together around a nearby star; the researchers ...

Contacts better than permanent lenses for babies after cataract surgery

For adults and children who undergo cataract surgery, implantation of an artificial lens is the standard of care. But a clinical trial suggests that for most infants, surgery followed by the use of contact ...

Endo gets US approval for long-acting testosterone

Drugmaker Endo Pharmaceuticals says it received U.S. approval for its long-acting testosterone injection Aveed, which joins a crowded field of hormone-boosting drugs for men.

British widow wins battle for husband's frozen sperm

A British woman won a High Court battle on Thursday to preserve her late husband's sperm for at least another decade so that she can bear his children.

Environmentalists warn of Spain oil-drilling

Campaigners warned Thursday of environmental threats from new oil-prospecting projects off Spain's Balearic and Canary Islands, two major tourist destinations.

Javascript is currently disabled in your web browser. For full site functionality, it is necessary to enable Javascript. In order to enable it, please see these instructions.

© Phys.org™ 2003-2013, Science X network

Red Hat programmer discovers major security flaw in Linux7 hours ago by Bob Yirka

(Phys.org) —Programmer Nikos Mavrogiannopoulos who works for Red Hat, has discovered a major security problem with the Linux operating system—a bug that could allow a hacker to create a certificate that could bypass the normal authenticity checks. Red Hat sent out an immediate alert and suggests all those who use its product update their software with a fix they've made available.

Officially known as CVE-2014-0092, the bug appears to be a simple programming error—one that has been in a part of the Linux operating system for over a decade. More specifically, the bug involves GnuTLS's (a library of functions used for processing certificate requests) validation of X509 certificates. In many respects, the error appears to be similar to the "goto fail" security problem that cropped up in iOS and OS X recently. At issue in both cases is the infamous GOTO computer command which has been criticized by several high profile programmers for several years. Problems occur with it due to a programmer failing to consider one or more events. GOTO commands are called on demand, i.e. IF condition GOTO some other part of the code. The problem can be made worse if negative conditions are used because humans can't always think of every possible outcome.

In this instance, GOTO commands were being executed under certain conditions that allowed for bypassing certificate authentication, allowing unauthenticated certificates to be processed as if they were authentic. If a hacker discovered the flaw, they could cause their own certificates to be authenticated, allowing for decrypting data. That of course could impact a lot of users as Linux, especially the Red Hat version, is very commonly used as a web server operating system.

What is most surprising about the bug is that it went undetected for so long. Linux is an open source operating system which means thousands, if not millions, have access to the source code—every one of whom can test any part of it. That no one thought to independently test every part of the highly important GnuTLS's library seems almost unfathomable.

Now that the bug has been identified, fixes have been made in virtually all Linux variants, which users can download. Sadly, not everyone keeps up on such reports, however, which means the bug could very well live on in many web servers and others systems around the world for many years to come.

Explore further:Symantec discovers worm that targets systems running Linux—threat to other devices

More information:rhn.redhat.com/errata/RHSA-2014-0246.html

© 2014 Phys.org

More from Physics Forums - Computers

Related Stories

Symantec discovers worm that targets systems running Linux—threat to other devices

Dec 02, 2013

(Phys.org) —Antivirus company Symantec has announced that it has discovered a new worm on the loose—one that attacks vulnerabilities in computer systems running Linux. Thus far, they report, the threat is ...

International Space Station making laptop migration from Windows XP to Debian 6

May 12, 2013

(Phys.org) —The International Space Station has decided to switch dozens of laptops running Windows XP over to Debian. What Linux fans have been saying for years—that Linux delivers greater stability ...

Apple readies security fix for Mac after iOS flaw

Feb 24, 2014

Apple said Monday it was developing a security fix for its Mac OS X computer operating system after a patch released for its iPhones and iPads to thwart hacker attacks.

Bringing the world reboot-less updates

Jan 24, 2014

It's an annoyance for the individual computer user: You've updated your operating system, and now you need to reboot. This is so the computer can switch to the modified source code.

Valve releases both Steam Machine and SteamOS

Dec 16, 2013

(Phys.org) —Video game maker Valve Corporation has officially made SteamOS available for download for anyone who wishes to do so. At the same time, the company announced that it has also shipped Steam Machines ...

Linux camp has key to Windows 8 boot lockout

Oct 14, 2012

(Phys.org)—Microsoft's rocky reputation with the open source community was not exactly obliterated with hardware news surrounding the upcoming launch of the operating system, Windows 8. Systems will come ...

Recommended for you

Ubisoft to unleash 'Watch Dogs' video game in May

1 hour ago

Ubisoft said Thursday that it will unleash hacker-themed video game "Watch Dogs" on May 27 in what could turn a disappointing launch delay into a smart marketing move.

Mozilla to improve JPEG compression with mozjpeg tool

1 hour ago

(Phys.org) —Mozilla announced on Wednesday its new project to provide a production-quality JPEG encoder that improves compression. Project mozjpeg will bring better compression efficiency to JPEG, the popular ...

Iceland startup finds success with trivia app

2 hours ago

A small startup has taken the gaming world by storm, finding success with its QuizUp trivia app and spurning offers to abandon its remote Iceland headquarters in favor of California's Silicon Valley.

Shaq seeking funding for new 'Shaq Fu' video game

2 hours ago

Shaq wants to be back in a video game.

Video games target Japan's silver generation

13 hours ago

At a nursing home in suburban Tokyo, 88-year-old Saburo Sakamoto darts his fingers energetically to catch characters that appear on a touch screen in front of him.

Review: Apple's iWork brings simplicity to docs

Mar 05, 2014

Microsoft's Office is the go-to software package for creating and sharing documents, spreadsheets and presentations. Google's Docs has emerged as a good, free alternative for lightweight tasks. But what's often overlooked ...

User comments : 3

Adjust slider to filter visible comments by rank

Display comments: newest first

Eikka

not rated yet3 hours ago

every one of whom can test any part of it

Technically, but not practically speaking.

Extremely few people go around poking the source code of their operating system for fun without a pressing need - and even when they do it's a snowball's chance in hell they'll just stumble on the particular line of code that contains the bug amongs the millions of lines of code - assuming they're competent enough to notice or do anything about it in the first place.

It all takes time, money and effort, and unless you're paid to do it you probably just don't give a toss. Meanwhile, people who are trying to break into these systems do have the motivation and time, and often the money to spend the time poking around to see what breaks - and then tell nobody else about it.

That's why I find the Linus's law of "Many eyes make all bugs shallow" a load of rubbish because the eyes are blind. If there is a bug in open source software, chances are the black hats are going to find it first.

rjflory

not rated yet2 hours ago

Technically the problem is not with the operating system itself, but with an accessory library maintained by a completely different group. This library is also used by several other operating systems besides Linux.

To claim the problem is with the Linux operating system is akin to claiming a bug in the quicktime player or acrobat reader is the fault of microsoft- it isn't...

Bonia

not rated yet36 minutes ago

every one of whom can test any part of it... technically, but not practically speaking

IMO the possibility to compile and install network servers from source code is utilized with malicious network admins for introduction of their private backdoors much more often, than for reporting the errors to community. In Windows the system libraries are checked against their CRC codes during each start of Windows. Every attempt for replacement of some library with some private one not only is more difficult (as you have no access to source code), but the system recognizes it and replaces it by its original version from repository.

More news stories

Spotify snaps up The Echo Nest

Music streaming service Spotify announced Thursday it had acquired The Echo Nest, a company behind technology to suggest songs to listeners.

Groups seek privacy review of Facebook-WhatsApp tie-up

Two privacy activist groups asked US regulators Thursday to put on hold the Facebook acquisition of messaging service WhatsApp to ensure against misuse of user data.

Ubisoft to unleash 'Watch Dogs' video game in May

Ubisoft said Thursday that it will unleash hacker-themed video game "Watch Dogs" on May 27 in what could turn a disappointing launch delay into a smart marketing move.

Australian returned as head of world intellectual property body

An Australian lawyer and jurist, Francis Gurry, was Thursday renewed for a second term as chief of the UN's influential intellectual property agency based in Switzerland.

Mozilla to improve JPEG compression with mozjpeg tool

(Phys.org) —Mozilla announced on Wednesday its new project to provide a production-quality JPEG encoder that improves compression. Project mozjpeg will bring better compression efficiency to JPEG, the popular ...

ALMA sees icy wreckage in nearby solar system: Possible hidden planet causing rapid-fire cometary collisions

(Phys.org) —Astronomers using the Atacama Large Millimeter/submillimeter Array (ALMA) telescope have discovered the splattered remains of comets colliding together around a nearby star; the researchers ...

Contacts better than permanent lenses for babies after cataract surgery

For adults and children who undergo cataract surgery, implantation of an artificial lens is the standard of care. But a clinical trial suggests that for most infants, surgery followed by the use of contact ...

Endo gets US approval for long-acting testosterone

Drugmaker Endo Pharmaceuticals says it received U.S. approval for its long-acting testosterone injection Aveed, which joins a crowded field of hormone-boosting drugs for men.

British widow wins battle for husband's frozen sperm

A British woman won a High Court battle on Thursday to preserve her late husband's sperm for at least another decade so that she can bear his children.

Environmentalists warn of Spain oil-drilling

Campaigners warned Thursday of environmental threats from new oil-prospecting projects off Spain's Balearic and Canary Islands, two major tourist destinations.

Javascript is currently disabled in your web browser. For full site functionality, it is necessary to enable Javascript. In order to enable it, please see these instructions.

© Phys.org™ 2003-2013, Science X network

http://phys.org/news/2014-03-red-hat-programmer-major-flaw.html