As recently as yesterday, the top story on Ars Technica and ZDNet among others was the disturbing revelation regarding a serious security vulnerability with GnuTLS. GnuTLS is a cryptology platform used in many Linux distributions dating back to 2005.
What is GnuTLS
Without getting too technical, GnuTLS is a security protocol library used by many software developers for implementing the SSL, TLS and DTLS. You may recognize SSL (Secure Sockets layer) as the protective lock icon on a web browser to inform you when you are in a secure section of a website.
Usually when developing a piece of software or code a developer will choose to utilize a trusted source or openly available package like GnuTLS to create security within their software. This common practice speeds the process of software development. However, when a flaw is found in that commonly used package like GnuTLS, it can have wide ranging ramifications.
Does the GnuTLS Bug Affect DD-WRT Router Firmware
For FlashRouters, the immediate concern is the potential affect GnuTLS has on the popular open source DD-WRT firmware package. And thankfully, the answer came quickly and assuredly from Kong, one of the top DD-WRT developers in the official DD-WRT forum. Kong stated DD-WRT does not use GnuTLS so it is not affected.
Kong also noted that he had proactively reviewed the DD-WRT source code to check for vulnerabilities. This was after revelations regarding Asus/Linksys Firmware Moon Issue and the Team Cymru Threat Intelligence Group report on the growing issues with SOHO router DNS security issues.
In response, a step was taken of adding a tweak for authentication timeout to the DD-WRT Web Interface. So thanks to Kong and the other hard-working members of the DD-WRT development and testing team for staying ahead of the security curve. As per usual, security concerns seems like a top priority for the DD-WRT folks. For more information on DD-WRT, check out the Intro to DD-WRT Firmware.
What Linux OS Users Should Know About the GnuTLS Cryptobug
Comparisons have been made from this bug to the recent Apple SSL issue that forced a speedy iOS patch in late February and that is understandable. The one advantage for iOS users is that one major update can be pushed through to patch the hole for Mac users but the variety in Linux use can allow this issue to linger for those using older outdated and less frequently updated programs/operating systems.
What Does the GnuTLS Bug Affect
It appears that in general that while a good amount of distributions and programs use GnuTLS, the most security important programs have shifted away from GnuTLS to OpenSSL, an alternate, preferred security protocol library.
Most web applications rely on OpenSSL, instead of GnuTLS as well. According to multiple sources, major open-source web browser projects, such as Firefox and Chrome, are unaffected, at least in their most recent updates.
Updates to full Linux OS distros have been popping up quickly and steadily from affected parties such as RedHat and CentOS as well as GnuTLS itself. Some popular applications such as FileZilla, Claws Mail, and Pidgin are affected. It is highly recommended that you check for recent security updates on security reliant programs and operating systems that could potentially be affected.
PCWorld quoted Dave Wreski of open-source security firm Guardian Digital for analysis on what the next step for Linux users should be:
Users of current Linux distributions should contact their service provider or administrator to ensure their system is updated properly, while users of older, unsupported Linux platforms should upgrade to the latest release or disable applications that link against vulnerable software…
So basically, stay aware, keep your security patches in order and rely on providers that have your security and safety at the forefront of their mind. As this story develops, we’ll surely keep on top of it.