asn1_buf_to_c_string() returned a literal string if the input ASN.1 string
contained a NUL character, while the caller expects a mutable string.
The caller will attempt to change this string, which allows a client to
crash a server by sending a certificate with an embedded NUL character.
(The other way around is not interesting, as servers are allowed to stop
a client by design.)
Impact analysis:
* applies to mbedtls builds only
* introduced in 2.4 (so 2.3 is not affected)
* can only be exploited if the --x509-track option is used
* requires the CA to sign a certificate with an embedded NUL in the
certificate subject
This bug was discovered and reported to the OpenVPN security team by
Guido Vranken.
CVE: 2017-7522
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1497864520-12219-2-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/search?l=mid&q=1497864520-12219-2-git-send-email-steffan.karger@fox-it.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -306,6 +306,14 @@ Maintainer-visible changes |
306 | 306 |
Version 2.4.3 |
307 | 307 |
============= |
308 | 308 |
|
309 |
+Security |
|
310 |
+-------- |
|
311 |
+- CVE-2017-7522: Fix --x509-track post-authentication remote DoS |
|
312 |
+ A client could crash a 2.4+ mbedtls server, if that server uses the |
|
313 |
+ --x509-track option and the client has a correct, signed and unrevoked |
|
314 |
+ certificate that contains an embedded NUL in the certificate subject. |
|
315 |
+ Discovered and reported to the OpenVPN security team by Guido Vranken. |
|
316 |
+ |
|
309 | 317 |
User-visible Changes |
310 | 318 |
-------------------- |
311 | 319 |
- ``--verify-hash`` can now take an optional flag which changes the hashing |
... | ... |
@@ -271,7 +271,7 @@ asn1_buf_to_c_string(const mbedtls_asn1_buf *orig, struct gc_arena *gc) |
271 | 271 |
{ |
272 | 272 |
if (orig->p[i] == '\0') |
273 | 273 |
{ |
274 |
- return "ERROR: embedded null value"; |
|
274 |
+ return string_alloc("ERROR: embedded null value", gc); |
|
275 | 275 |
} |
276 | 276 |
} |
277 | 277 |
val = gc_malloc(orig->len+1, false, gc); |