Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 416399 (CVE-2012-2130) - <net-libs/polarssl-1.1.3: Weak key generation (CVE-2012-2130)
Summary: <net-libs/polarssl-1.1.3: Weak key generation (CVE-2012-2130)
Status: RESOLVED FIXED
Alias: CVE-2012-2130
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://polarssl.org/trac/wiki/Securit...
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-05-17 14:40 UTC by Tim Sammut (RETIRED)
Modified: 2013-10-17 09:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2012-05-17 14:40:56 UTC
From the upstream advisory at $URL:

During code migration a bug was introduced in PolarSSL 0.99-pre4. As a result the generation of Diffie Hellman value X is weak on the client and server. Only a part of the value X is filled with random data, instead of the whole value. (Determined by the server Diffie Hellman parameters). In addition, MPI primes are only generated within a limited subspace of the full prime space. Again only a part of the prime is filled with random data, instead of the whole value.

Impact

When a weak X is generated the resulting Diffie Hellman key exchange is weaker. This makes it easier for an attacker to brute force the private value and thus the master secret. When the master secret is known, an attacker is able to modify and read all data in the secure channel.

MPI primes generated with mpi_gen_prime() are less secure. If rsa_gen_key() was used to generate RSA keys with PolarSSL, these keys are less secure as well. This only affects keys / primes generated within affected versions of PolarSSL, not keys generated in older versions or imported keys.

Resolution

PolarSSL version 1.1.2 contains a fix for the bug and generates full-size values of X and primes.

If you generated primes or RSA keys from within PolarSSL, re-generate and replace those primes / keys.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2012-05-17 14:44:28 UTC
Thomas, thanks for the heads up and ack via IRC.

Arches, please test and mark stable:
=net-libs/polarssl-1.1.3
Target keywords : "amd64 hppa ppc ppc64 x86"
Comment 2 Michael Harrison 2012-05-18 19:47:54 UTC
amd64 ok
Comment 3 Agostino Sarubbo gentoo-dev 2012-05-19 14:03:24 UTC
amd64 stable
Comment 4 Mark Loeser (RETIRED) gentoo-dev 2012-05-20 07:07:27 UTC
ppc/ppc64 done
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2012-05-21 04:24:26 UTC
Stable for HPPA.
Comment 6 Johannes Huber (RETIRED) gentoo-dev 2012-05-21 22:19:43 UTC
x86 stable
Comment 7 Thomas Sachau gentoo-dev 2012-05-22 21:15:56 UTC
old versions removed, so all should be done on ebuild side
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2012-05-23 02:57:07 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-06-11 19:45:33 UTC
GLSA vote: yes.

Added to existing GLSA request.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2013-10-17 09:03:25 UTC
This issue was resolved and addressed in
 GLSA 201310-10 at http://security.gentoo.org/glsa/glsa-201310-10.xml
by GLSA coordinator Sergey Popov (pinkbyte).