GitList

Browse code

mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)

asn1_buf_to_c_string() returned a literal string if the input ASN.1 string
contained a NUL character, while the caller expects a mutable string.
The caller will attempt to change this string, which allows a client to
crash a server by sending a certificate with an embedded NUL character.

(The other way around is not interesting, as servers are allowed to stop
a client by design.)

Impact analysis:
* applies to mbedtls builds only
* introduced in 2.4 (so 2.3 is not affected)
* can only be exploited if the --x509-track option is used
* requires the CA to sign a certificate with an embedded NUL in the
certificate subject

This bug was discovered and reported to the OpenVPN security team by
Guido Vranken.

CVE: 2017-7522
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1497864520-12219-2-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/search?l=mid&q=1497864520-12219-2-git-send-email-steffan.karger@fox-it.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>

Steffan Karger authored on 2017/06/19 18:28:36
Showing 2 changed files

Changes.rst

History View file @ 4263929

@@ -306,6 +306,14 @@ Maintainer-visible changes
                      Version 2.4.3
                      =============
                     +Security
                     +--------
                     +- CVE-2017-7522: Fix --x509-track post-authentication remote DoS
                     +  A client could crash a 2.4+ mbedtls server, if that server uses the
                     +  --x509-track option and the client has a correct, signed and unrevoked
                     +  certificate that contains an embedded NUL in the certificate subject.
                     +  Discovered and reported to the OpenVPN security team by Guido Vranken.
+                    +
                      User-visible Changes
                      --------------------
                      - ``--verify-hash`` can now take an optional flag which changes the hashing

src/openvpn/ssl_verify_mbedtls.c

History View file @ 4263929

@@ -271,7 +271,7 @@ asn1_buf_to_c_string(const mbedtls_asn1_buf *orig, struct gc_arena *gc)
     {
         if (orig->p[i] == '\0')
         {
-            return "ERROR: embedded null value";
+            return string_alloc("ERROR: embedded null value", gc);
         }
     }
     val = gc_malloc(orig->len+1, false, gc);

...	...	@@ -271,7 +271,7 @@ asn1_buf_to_c_string(const mbedtls_asn1_buf orig, struct gc_arena gc)
271	271	{
272	272	if (orig->p[i] == '\0')
273	273	{
274		- return "ERROR: embedded null value";
	274	+ return string_alloc("ERROR: embedded null value", gc);
275	275	}
276	276	}
277	277	val = gc_malloc(orig->len+1, false, gc);