Bug 1080828 (CVE-2018-0488)

Summary: VUL-0: CVE-2018-0488 mbedtls: Risk of remote code execution when truncated HMAC is enabled
Product: [openSUSE] openSUSE Distribution Reporter: Karol Babioch <karol>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium    
Version: Leap 42.3   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/199924/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Karol Babioch 2018-02-13 15:51:32 UTC
rh#1544727

When the truncated HMAC extension is enabled and CBC is used, sending a malicious application packet can be used to selectively corrupt 6 bytes on the peer's heap, potentially leading to a crash or remote code execution. This can be triggered remotely from either side in both TLS and DTLS.

If the truncated HMAC extension, which can be set by the compile time option MBEDTLS_SSL_TRUNCATED_HMAC in config.h, is disabled when compiling the library, then the vulnerability is not present. The truncated HMAC extension is enabled in the default configuration.

The vulnerability is only present if

* The compile-time option MBEDTLS_SSL_TRUNCATED_HMAC is set in config.h. (It is set by default) AND
* The truncated HMAC extension is explicitly offered by calling mbedtls_ssl_conf_truncated_hmac(). (It is not offered by default)

Affects versions: all versions of Mbed TLS from version 1.3.0 and up, including all 2.1 and later releases

Reference:

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1544727
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0488
Comment 1 Swamp Workflow Management 2018-02-14 14:20:10 UTC
This is an autogenerated message for OBS integration:
This bug (1080828) was mentioned in
https://build.opensuse.org/request/show/576771 42.3+Backports:SLE-12 / mbedtls
Comment 2 Swamp Workflow Management 2018-02-20 17:09:31 UTC
openSUSE-SU-2018:0488-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1080826,1080828,1080973
CVE References: CVE-2017-18187,CVE-2018-0487,CVE-2018-0488
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    mbedtls-1.3.19-11.1
Comment 3 Swamp Workflow Management 2018-02-20 17:11:58 UTC
openSUSE-SU-2018:0491-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1080826,1080828,1080973
CVE References: CVE-2017-18187,CVE-2018-0487,CVE-2018-0488
Sources used:
openSUSE Leap 42.3 (src):    mbedtls-1.3.19-21.1
Comment 4 Marcus Meissner 2018-02-21 06:27:23 UTC
released