Bug 1183729 - (CVE-2021-3446) VUL-0: CVE-2021-3446: libtpms: return of wrong initialization vector when certain symmetric ciphers are used
(CVE-2021-3446)
VUL-0: CVE-2021-3446: libtpms: return of wrong initialization vector when cer...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/279874/
CVSSv3.1:SUSE:CVE-2021-3446:5.9:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-03-18 16:28 UTC by Robert Frohl
Modified: 2021-03-23 01:55 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-03-18 16:28:59 UTC
rh#1939664

The commonly used integration of libtpms with OpenSSL contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller. The fix for this required the copying of the last-used IV from OpenSSL so it can be return back to the caller and used in subsequent encryption and decryption steps. The side-effect of the fix is that previously chain-encrypted data will not be decryptable anymore with the TPM 2.

Reference and upstream patch:
https://github.com/stefanberger/libtpms/commit/32c159ab53db703749a8f90430cdc7b20b00975e

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1939664
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3446
https://access.redhat.com/security/cve/CVE-2021-3446
Comment 1 Robert Frohl 2021-03-18 16:29:39 UTC
tracking as affected:

- SUSE:SLE-15-SP3:Update/libtpms
Comment 5 Gary Ching-Pang Lin 2021-03-19 06:20:01 UTC
Fix submitted.
Comment 6 OBSbugzilla Bot 2021-03-19 08:20:08 UTC
This is an autogenerated message for OBS integration:
This bug (1183729) was mentioned in
https://build.opensuse.org/request/show/880046 Factory / libtpms