BREAKING – Critical Crypto Security Bug: Linux, Bitcoin Client Apps At Risk

March 5, 2014 19:23 UTC
Security Advisrory issued for gnutls package – “vulnerable to eavesdropping”

A security vulnerability has been discovered in the standard Linux gnuTLS package.Both the Bitcoin daemon and wallet client are unaffected, but some third party client applications are dependent on this package for cryptographic library interaction. As a result all altcoin client applications using gnutls are also affected.

GnuTLS is a package that references the openssl library and is used by most Linux and Open Source applications for socket encryption. Linux distributions ranging from Debian to Ubuntu and Red Hat are at risk of eavesdropping in a similar manner to the recent Mac OSX bug that allowed the keylogging Pony botnet to enact the theft of over 700,000 online credentials, including online wallet passwords – resulting in the theft of $220,000 worth of cryptocurrency.

The description of the security bug is outlined as follows at Ubuntu Security Notices:

Nikos Mavrogiannopoulos discovered that GnuTLS incorrectly handled certificate verification functions. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited with specially crafted certificates to view sensitive information. CVE-2014-0092

At this moment we are still gathering information on this severe security vulnerability – no doubt, one of the biggest to ever affect Linux.

Readers are advised to upgrade their Linux distribution packages to the latest versions and where packages are not yet upgraded to refrain from performing online transactions or logins to sensitive sites (banking, online wallet services, etc)

Developers and miners running Linux installations should manually upgrade to gnutls 3.2.12
Specifically, look for packages like libcurl4-gnutls-dev that most certainly need upgrade.

The discoverer of the vulnerability sent out a Security Advisory two days ago warning of the exploit and his bug fix. Following a security alert it usually takes various package maintainers for different Linux distributions a hours to a few days to incorporate the fixes in their own packages repositories.

gnuTLS files typically installed in Ubuntu 12.04 LTS:

Operating Systems not affected

Google Android
Microsoft Windows

The above OSes do not install or utilize gnuTLS by default, however, where individual user installed applications utilize the gnuTLS library – the vulnerability will most definitely present a security risk.

Have you been affected by this security vulnerability? Please tell us about it in the comments section below.

Last modified: March 5, 2014 22:27 UTC

Show comments