Bug 1080826 (CVE-2018-0487)

Summary: VUL-0: CVE-2018-0487 mbedtls: Risk of remote code execution when verifying RSASSA-PSS signatures
Product: [openSUSE] openSUSE Distribution Reporter: Karol Babioch <karol>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium    
Version: Leap 42.3   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/199923/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Karol Babioch 2018-02-13 15:51:11 UTC 
rh#1544728

When RSASSA-PSS signature verification is enabled, sending a maliciously constructed certificate chain can be used to cause a buffer overflow on the peer's stack, potentially leading to crash or remote code execution. This can be triggered remotely from either side in both TLS and DTLS.

RSASSA-PSS is the part of PKCS #1 v2.1 standard and can be enabled by the compile time option MBEDTLS_PKCS1_V21 in config.h. If MBEDTLS_PKCS1_V21 is disabled when compiling the library, then the vulnerability is not present. RSASSA-PSS signatures are enabled in the default configuration.

Affected versions: all versions of Mbed TLS from version 1.3.8 and up, including all 2.1 and later releases

Reference:

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1544728
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0487
Comment 1 Swamp Workflow Management 2018-02-14 14:20:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1080826) was mentioned in
https://build.opensuse.org/request/show/576771 42.3+Backports:SLE-12 / mbedtls
Comment 2 Swamp Workflow Management 2018-02-20 17:09:22 UTC 
openSUSE-SU-2018:0488-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1080826,1080828,1080973
CVE References: CVE-2017-18187,CVE-2018-0487,CVE-2018-0488
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    mbedtls-1.3.19-11.1
Comment 3 Swamp Workflow Management 2018-02-20 17:11:50 UTC 
openSUSE-SU-2018:0491-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1080826,1080828,1080973
CVE References: CVE-2017-18187,CVE-2018-0487,CVE-2018-0488
Sources used:
openSUSE Leap 42.3 (src):    mbedtls-1.3.19-21.1
Comment 4 Marcus Meissner 2018-02-21 06:23:40 UTC 
released