mbedtls: CVE-2017-14032: authentication bypass

Debian Bug report logs - #873557
mbedtls: CVE-2017-14032: authentication bypass

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: mbedtls: possible authentication bypass

Date: Tue, 29 Aug 2017 00:09:30 +0100

[Message part 1 (text/plain, inline)]

Source: mbedtls
Version: 2.1.2-1
Severity: grave
Tags: security

Hi,

The following security advisory was published for mbedtls:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02

[Vulnerability]
If a malicious peer supplies an X.509 certificate chain that has more
than MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (which by default is
8), it could bypass authentication of the certificates, when the
authentication mode was set to 'optional' eg.
MBEDTLS_SSL_VERIFY_OPTIONAL. The issue could be triggered remotely by
both the client and server sides.

If the authentication mode, which can be set by the function
mbedtls_ssl_conf_authmode(), was set to 'required' eg.
MBEDTLS_SSL_VERIFY_REQUIRED which is the default, authentication would
occur normally as intended.

[Impact]
Depending on the platform, an attack exploiting this vulnerability could
allow successful impersonation of the intended peer and permit
man-in-the-middle attacks.

The advisory states that only mbedtls >= 1.3.10 is affected, which means
that jessie's version of polarssl is not affected.

I think this is the commit which fixes this, but I have not checked yet:
https://github.com/ARMmbed/mbedtls/commit/31458a18788b0cf0b722acda9bb2f2fe13a3fb32

James

[signature.asc (application/pgp-signature, attachment)]

Message #12 received at 873557-close@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>

To: 873557-close@bugs.debian.org

Subject: Bug#873557: fixed in mbedtls 2.6.0-1

Date: Tue, 29 Aug 2017 17:11:34 +0000

Source: mbedtls
Source-Version: 2.6.0-1

We believe that the bug you reported is fixed in the latest version of
mbedtls, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 873557@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Cowgill <jcowgill@debian.org> (supplier of updated mbedtls package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 29 Aug 2017 16:09:30 +0100
Source: mbedtls
Binary: libmbedtls-dev libmbedcrypto0 libmbedtls10 libmbedx509-0 libmbedtls-doc
Architecture: source
Version: 2.6.0-1
Distribution: unstable
Urgency: high
Maintainer: James Cowgill <jcowgill@debian.org>
Changed-By: James Cowgill <jcowgill@debian.org>
Description:
 libmbedcrypto0 - lightweight crypto and SSL/TLS library - crypto library
 libmbedtls-dev - lightweight crypto and SSL/TLS library - development files
 libmbedtls-doc - lightweight crypto and SSL/TLS library - documentation
 libmbedtls10 - lightweight crypto and SSL/TLS library - tls library
 libmbedx509-0 - lightweight crypto and SSL/TLS library - x509 certificate library
Closes: 873557
Changes:
 mbedtls (2.6.0-1) unstable; urgency=high
 .
   * New upstream version.
     - Fixes possible authentication bypass if a peer supplies a certificate
       chain with more than 8 intermediates. (Closes: #873557)
 .
   * debian/copyright:
     - Update copyright dates.
     - Use https Format URL.
   * debian/control:
     - Bump standards to 4.1.0 (no changes required).
     - Use debhelper compat 10.
   * debian/libmbedcrypto0.symbols:
     - Add new symbols from 2.6.0.
   * debian/patches:
     - Refresh config patch.
     - Drop all stubs patches - upstream reverted the ABI breakage.
Checksums-Sha1:
 29442316b62139fa2be3aa5036ad8ad38bba4bb1 2221 mbedtls_2.6.0-1.dsc
 e914288da50977f541773f9d36e26f14926594a5 1973397 mbedtls_2.6.0.orig.tar.gz
 8929984bf729d0fbe0afb09191c62d2878b0033c 11048 mbedtls_2.6.0-1.debian.tar.xz
 b9c8e2304d2610ffc2a320ed3b1e5202f2bc5b4e 6203 mbedtls_2.6.0-1_source.buildinfo
Checksums-Sha256:
 681980e13390160cecd0f3e69834106bde148c007333b39869f4a9f79e3f34cb 2221 mbedtls_2.6.0-1.dsc
 99bc9d4212d3d885eeb96273bcde8ecc649a481404b8d7ea7bb26397c9909687 1973397 mbedtls_2.6.0.orig.tar.gz
 54462b68263620ba138e4db0382b4ac519d2720a8e076045429f5124ac2633c9 11048 mbedtls_2.6.0-1.debian.tar.xz
 301740075c97640356cfa0b71e116fc66d583a2d1b16794a053a526a4f536288 6203 mbedtls_2.6.0-1_source.buildinfo
Files:
 4530e7540dbbc2ef06b1f157a5e0eed8 2221 libs optional mbedtls_2.6.0-1.dsc
 01ede06f7d00dd8a6626494d95a63f6b 1973397 libs optional mbedtls_2.6.0.orig.tar.gz
 f153259dca5eee01b0e9934045d0f393 11048 libs optional mbedtls_2.6.0-1.debian.tar.xz
 315b4afe8efd9e64070b9a396b28f4e2 6203 libs optional mbedtls_2.6.0-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlmlg9oUHGpjb3dnaWxs
QGRlYmlhbi5vcmcACgkQx/FnbeotAe8y8Q//WptEO4zBX1TUXj54+PQuackLZqdm
5H5GOntXV5rFj+mIeVJdeJSU1yrVNyXexH9KBAsUKzr7GdhGbeeZ8+CL4wNLVb3D
oXLCuGXa8PsKpfdYeTL4mpj4w3gn1qHzcfO7zENdhuA9Yq1rmet2tLKmV2MmML1H
58H0qjNnkDw1bInShE4r+Scg6mWUkkZrri4d6OjTserRqQjR38VsL1cnmPIiukso
Oi/Ut3s1QtwlBWcklhFNJ4YUBQ89j5HC8cR6X9vzS8zDTV0JO07Djy2FTf6SJ7Kd
ae4NU5w0dGkeHGM8uaMkWcBSeeAk2fli3EvGugAvzHEXcVBwCpTdOfMhGo5u7jrN
22uStOFscaXe5BdJzzfhRyR9iPnBCLsikTwtSPicjcm6wGPP2xFItBMReM0EMJRv
9qK58bvIpxKRuwO/QiS6GW3JnsP/rvfer3ckuG4YohoC6vNeHBrD+TkFVmzOo3rd
5MDP/DJaJr+0YYrBT0FzhGVCp8D8v6Hf2PM6S1pgnfBJIv0u+SusGtT3sROlqXSC
jkCKoKwQzS1NKlrd65pQHXk/bf9r3n6uMBqq4ZfwtF0GpbHVgB6qEnfZfR/FRsWJ
lBH3QwI+3ZsIT++PvkCNgGTmDbm46dvVYU0PlMTdal2O8rNmfVjbm12hdUjVlHhG
CAJu23Lh4Q5U7Kc=
=DHhC
-----END PGP SIGNATURE-----

Message #17 received at 873557@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>

To: 873557@bugs.debian.org

Subject: Re: Bug#873557: mbedtls: possible authentication bypass

Date: Tue, 29 Aug 2017 23:53:28 +0100

[Message part 1 (text/plain, inline)]

On 29/08/17 00:09, James Cowgill wrote:
> I think this is the commit which fixes this, but I have not checked yet:
> https://github.com/ARMmbed/mbedtls/commit/31458a18788b0cf0b722acda9bb2f2fe13a3fb32

In addition, this commit must be applied before that one:
https://github.com/ARMmbed/mbedtls/commit/d15795acd5074e0b44e71f7ede8bdfe1b48591fc

I created a test certificate chain for this (before I realized upstream
already had one) which I have attached. The bug can be reproduced using
mbedtls's test programs (available from manually built source).

First, start a server:
programs/ssl/ssl_server2 crt_file=test-certs/chain.pem key_file=test-certs/child.key

Then run the child like this:
programs/ssl/ssl_client2 server_name=Child server_addr=localhost auth_mode=optional

Currently, the client will claim that the certificate validated. This is
quite astounding since I didn't even give the client a list of trusted
CAs!
> . Verifying peer X.509 certificate... ok

After applying the patches the client will correctly fail the
certificate validation.

James

[test-certs.tar.gz (application/gzip, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Message #22 received at 873557@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: James Cowgill <jcowgill@debian.org>, 873557@bugs.debian.org

Subject: Re: Bug#873557: mbedtls: possible authentication bypass

Date: Wed, 30 Aug 2017 21:48:42 +0200

Control: retitle mbedtls: CVE-2017-14032: authentication bypass

Hi

On Tue, Aug 29, 2017 at 12:09:30AM +0100, James Cowgill wrote:
> Source: mbedtls
> Version: 2.1.2-1
> Severity: grave
> Tags: security
> 
> Hi,
> 
> The following security advisory was published for mbedtls:
> https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02

MITRE has assigned CVE-2017-14032 for this issue.

Regards,
Salvatore

Message #31 received at 873557@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>

To: team@security.debian.org

Cc: 873557@bugs.debian.org

Subject: Re: Bug#873557: mbedtls: CVE-2017-14032: authentication bypass

Date: Fri, 1 Sep 2017 11:03:45 +0100

[Message part 1 (text/plain, inline)]

Hi,

On 30/08/17 20:48, Salvatore Bonaccorso wrote:
> Control: retitle mbedtls: CVE-2017-14032: authentication bypass
> 
> Hi
> 
> On Tue, Aug 29, 2017 at 12:09:30AM +0100, James Cowgill wrote:
>> Source: mbedtls
>> Version: 2.1.2-1
>> Severity: grave
>> Tags: security
>>
>> Hi,
>>
>> The following security advisory was published for mbedtls:
>> https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02
> 
> MITRE has assigned CVE-2017-14032 for this issue.

Does the attached patch look OK for stretch? I did a bit of testing with
it and it seems to fix the issue for me.

Thanks,
James

[mbedtls-2.4.2-1+deb9u1.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Message #36 received at 873557@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: James Cowgill <jcowgill@debian.org>, 873557@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#873557: mbedtls: CVE-2017-14032: authentication bypass

Date: Tue, 5 Sep 2017 06:46:00 +0200

[Message part 1 (text/plain, inline)]

Hi James

Apologies for the delay!

On Fri, Sep 01, 2017 at 11:03:45AM +0100, James Cowgill wrote:
> Hi,
> 
> On 30/08/17 20:48, Salvatore Bonaccorso wrote:
> > Control: retitle mbedtls: CVE-2017-14032: authentication bypass
> > 
> > Hi
> > 
> > On Tue, Aug 29, 2017 at 12:09:30AM +0100, James Cowgill wrote:
> >> Source: mbedtls
> >> Version: 2.1.2-1
> >> Severity: grave
> >> Tags: security
> >>
> >> Hi,
> >>
> >> The following security advisory was published for mbedtls:
> >> https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02
> > 
> > MITRE has assigned CVE-2017-14032 for this issue.
> 
> Does the attached patch look OK for stretch? I did a bit of testing with
> it and it seems to fix the issue for me.

Thank you. Looks good to me (although without tests). If your are
confident enough with the results of your testing, please go ahead
with the upload to security-master. Keep in mind that you need to
build with -sa to include the orig tarball, since it's new to dak on
security-master.

Regards,
Salvatore

[signature.asc (application/pgp-signature, inline)]

Message #41 received at 873557@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 873557@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#873557: mbedtls: CVE-2017-14032: authentication bypass

Date: Wed, 6 Sep 2017 19:19:58 +0100

[Message part 1 (text/plain, inline)]

Hi,

On 05/09/17 05:46, Salvatore Bonaccorso wrote:
> Hi James
> 
> Apologies for the delay!
> 
> On Fri, Sep 01, 2017 at 11:03:45AM +0100, James Cowgill wrote:
>> Hi,
>>
>> On 30/08/17 20:48, Salvatore Bonaccorso wrote:
>>> Control: retitle mbedtls: CVE-2017-14032: authentication bypass
>>>
>>> Hi
>>>
>>> On Tue, Aug 29, 2017 at 12:09:30AM +0100, James Cowgill wrote:
>>>> Source: mbedtls
>>>> Version: 2.1.2-1
>>>> Severity: grave
>>>> Tags: security
>>>>
>>>> Hi,
>>>>
>>>> The following security advisory was published for mbedtls:
>>>> https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02
>>>
>>> MITRE has assigned CVE-2017-14032 for this issue.
>>
>> Does the attached patch look OK for stretch? I did a bit of testing with
>> it and it seems to fix the issue for me.
> 
> Thank you. Looks good to me (although without tests). If your are
> confident enough with the results of your testing, please go ahead
> with the upload to security-master. Keep in mind that you need to
> build with -sa to include the orig tarball, since it's new to dak on
> security-master.

Thanks! Uploaded. Upstream does have some tests for this, although
unfortunately it's accompanied by about 200K of test data.

James

[signature.asc (application/pgp-signature, attachment)]

Message #46 received at 873557-close@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>

To: 873557-close@bugs.debian.org

Subject: Bug#873557: fixed in mbedtls 2.4.2-1+deb9u1

Date: Fri, 08 Sep 2017 22:17:08 +0000

Source: mbedtls
Source-Version: 2.4.2-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
mbedtls, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 873557@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Cowgill <jcowgill@debian.org> (supplier of updated mbedtls package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 01 Sep 2017 09:29:59 +0100
Source: mbedtls
Binary: libmbedtls-dev libmbedcrypto0 libmbedtls10 libmbedx509-0 libmbedtls-doc
Architecture: source
Version: 2.4.2-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: James Cowgill <jcowgill@debian.org>
Changed-By: James Cowgill <jcowgill@debian.org>
Description:
 libmbedcrypto0 - lightweight crypto and SSL/TLS library - crypto library
 libmbedtls-dev - lightweight crypto and SSL/TLS library - development files
 libmbedtls-doc - lightweight crypto and SSL/TLS library - documentation
 libmbedtls10 - lightweight crypto and SSL/TLS library - tls library
 libmbedx509-0 - lightweight crypto and SSL/TLS library - x509 certificate library
Closes: 873557
Changes:
 mbedtls (2.4.2-1+deb9u1) stretch-security; urgency=high
 .
   * Fix CVE-2017-14032:
     If optional authentication is configured, allows remote attackers to
     bypass peer authentication via an X.509 certificate chain with many
     intermediates. (Closes: #873557)
Checksums-Sha1:
 387483bc2864ffbad43d7d8d9550d981b021f878 2248 mbedtls_2.4.2-1+deb9u1.dsc
 71e0aa93e4548611fdb15af93e8b93b30c764e4c 1925368 mbedtls_2.4.2.orig.tar.gz
 a834a8283e89aabcb7fb5eb53a01a33f798f971d 12424 mbedtls_2.4.2-1+deb9u1.debian.tar.xz
 33faeaa5af8aa12b27fb67b04072209d2a073456 6171 mbedtls_2.4.2-1+deb9u1_source.buildinfo
Checksums-Sha256:
 dca38409f50f68221a7c452a8d446ecbca41ce24c4bcdb6a33a5ed7911df35a9 2248 mbedtls_2.4.2-1+deb9u1.dsc
 17dd98af7478aadacc480c7e4159e447353b5b2037c1b6d48ed4fd157fb1b018 1925368 mbedtls_2.4.2.orig.tar.gz
 9059433533496b9ed2b63d77c121c25d80ff64f72432788361dff07dc9894cec 12424 mbedtls_2.4.2-1+deb9u1.debian.tar.xz
 009d3e996cf72b9d19717af294b32e2338c076c0431d6e3a22c7bb1574f34c2b 6171 mbedtls_2.4.2-1+deb9u1_source.buildinfo
Files:
 5cc1dcccc78d00eda04d9b15e1bf2d2d 2248 libs optional mbedtls_2.4.2-1+deb9u1.dsc
 8e3a8357e0fc23a3954a819027f5167e 1925368 libs optional mbedtls_2.4.2.orig.tar.gz
 bb1c71888e031b85de4d4dbbae2d32de 12424 libs optional mbedtls_2.4.2-1+deb9u1.debian.tar.xz
 db358bec72552b71eaf3ef9762df0168 6171 libs optional mbedtls_2.4.2-1+deb9u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlmwOUkUHGpjb3dnaWxs
QGRlYmlhbi5vcmcACgkQx/FnbeotAe94Jg/9F+D/OfD3tHg/jpxZID/kaQgZ5dou
n0r8e6s2TFr69pBGQZYYmO5Qs4yhkaXFhUKt/JfojMcvkEozBxc/OYJSUug7T2b4
9tlsfY8EDbXHSDKHU5y0kFEpOaKG0hruCTaocGuW0oWqY0eFWGML9bghyuY+guzt
6XI65fGJTg9YOFX+jntD7F5KaYbNf9IavrDaKZEl9Wx2DthwGWqt2ITrbnxqMct2
R74N5FJjhmEegc7OnnzIfLbvSqkcuXu/xRmm47VaYwwLLzU5br6fPNE60TZg7UNk
+6ZmAAxuoYyu4bHfVo0C3yTufQGCqEbqIuFP0U9WSfBt9/YuO407C9cV96NpupR0
TI0D4SDW8eTz8ySGYaKGMD7dAd/bEjhp7iBV6fiKRRii3jXBBKOYfWhDweLS8mbh
/KWVj/32HCdeSP3hY+MvvJOpcCgRDrNu7Aa+OsYNoTA1lgVQVS60ALsuDC4TgsRK
oBW6BBR4+RQc1jfGW/qpI58u73rU2GlzTm+yZ3eDCd1JCUbcd0M26oOBjPpuVipU
Drt86lQVWzO7a4KI82qH6jL4EU+jFwehc+WpUlKyjotfAABcapBGcBCivZqernp9
jh+vYFqfM92mB4uUKsxK5U2iRMr2iHQPz/7r1qArhAMCMACvJ2paWC0AE7WqU3uq
9sqB6vKS/IldzJI=
=Kh9F
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.