Bug 1080828 - (CVE-2018-0488) VUL-0: CVE-2018-0488 mbedtls: Risk of remote code execution when truncated HMAC is enabled
(CVE-2018-0488)
VUL-0: CVE-2018-0488 mbedtls: Risk of remote code execution when truncated HM...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 42.3
Other Other
: P3 - Medium : Minor (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/199924/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-13 15:51 UTC by Karol Babioch
Modified: 2018-02-21 06:27 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-02-13 15:51:32 UTC
rh#1544727

When the truncated HMAC extension is enabled and CBC is used, sending a malicious application packet can be used to selectively corrupt 6 bytes on the peer's heap, potentially leading to a crash or remote code execution. This can be triggered remotely from either side in both TLS and DTLS.

If the truncated HMAC extension, which can be set by the compile time option MBEDTLS_SSL_TRUNCATED_HMAC in config.h, is disabled when compiling the library, then the vulnerability is not present. The truncated HMAC extension is enabled in the default configuration.

The vulnerability is only present if

* The compile-time option MBEDTLS_SSL_TRUNCATED_HMAC is set in config.h. (It is set by default) AND
* The truncated HMAC extension is explicitly offered by calling mbedtls_ssl_conf_truncated_hmac(). (It is not offered by default)

Affects versions: all versions of Mbed TLS from version 1.3.0 and up, including all 2.1 and later releases

Reference:

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1544727
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0488
Comment 1 Swamp Workflow Management 2018-02-14 14:20:10 UTC
This is an autogenerated message for OBS integration:
This bug (1080828) was mentioned in
https://build.opensuse.org/request/show/576771 42.3+Backports:SLE-12 / mbedtls
Comment 2 Swamp Workflow Management 2018-02-20 17:09:31 UTC
openSUSE-SU-2018:0488-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1080826,1080828,1080973
CVE References: CVE-2017-18187,CVE-2018-0487,CVE-2018-0488
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    mbedtls-1.3.19-11.1
Comment 3 Swamp Workflow Management 2018-02-20 17:11:58 UTC
openSUSE-SU-2018:0491-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1080826,1080828,1080973
CVE References: CVE-2017-18187,CVE-2018-0487,CVE-2018-0488
Sources used:
openSUSE Leap 42.3 (src):    mbedtls-1.3.19-21.1
Comment 4 Marcus Meissner 2018-02-21 06:27:23 UTC
released