Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 740108 (CVE-2020-16150, CVE-2020-36424, CVE-2020-36425, CVE-2020-36426, CVE-2020-36476, CVE-2020-36477) - <net-libs/mbedtls-{2.16.8,2.24.0}: Multiple vulnerabilities (CVE-2020-{16150,36424,36425,36426})
Summary: <net-libs/mbedtls-{2.16.8,2.24.0}: Multiple vulnerabilities (CVE-2020-{16150,...
Status: RESOLVED FIXED
Alias: CVE-2020-16150, CVE-2020-36424, CVE-2020-36425, CVE-2020-36426, CVE-2020-36476, CVE-2020-36477
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa+ cve]
Keywords:
Depends on: CVE-2020-36421, CVE-2020-36422, CVE-2020-36423
Blocks:
  Show dependency tree
 
Reported: 2020-09-02 19:21 UTC by Sam James
Modified: 2023-01-11 05:24 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-02 19:21:29 UTC
* CVE-2020-16150 (Local side channel attack on classical CBC decryption in (D)TLS)

Description:
"An local attacker with access to enough information about the state of the cache (including, but not limited to, an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world) can recover portions of the plaintext of a (D)TLS record."

Fixed versions: "Affected users will want to upgrade to Mbed TLS 2.24.0, 2.16.8 or 2.7.17 depending on the branch they're currently using."

Advisory: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-1

* Local side channel attack on RSA and static Diffie-Hellman

Description:
"An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world) can recover the private keys used in RSA or static (finite-field) Diffie-Hellman operations."

Fixed versions: "Affected users will want to upgrade to Mbed TLS 2.24.0, 2.16.8 or 2.7.17 depending on the branch they're currently using."

Advisory: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-02 19:22:24 UTC
Please bump to 2.16.8, 2.24.0, thanks!
Comment 2 Anthony Basile gentoo-dev 2020-09-03 15:38:25 UTC
(In reply to Sam James from comment #1)
> Please bump to 2.16.8, 2.24.0, thanks!

Okay the bumps are in the tree.  I did preliminary testing and everything seems good to go.  If you want, go ahead and convert this into a stabilization bug.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-09-03 23:03:26 UTC
Thanks! CC-ARCHES when ready.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-04 18:38:27 UTC
arm64 done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-04 18:39:33 UTC
arm done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-04 18:41:34 UTC
ppc64 stable
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2020-09-05 16:18:04 UTC
x86 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2020-09-08 07:11:25 UTC
ppc stable
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-12 23:57:18 UTC
amd64 stable, please cleanup
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-30 02:20:16 UTC
Ping
Comment 11 Larry the Git Cow gentoo-dev 2020-10-31 12:07:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a1bdf75cfef9f25bf8ee50237a5620c5a0ec0a84

commit a1bdf75cfef9f25bf8ee50237a5620c5a0ec0a84
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-10-30 15:29:24 +0000
Commit:     Anthony G. Basile <blueness@gentoo.org>
CommitDate: 2020-10-31 12:07:03 +0000

    net-libs/mbedtls: security cleanup
    
    Bug: https://bugs.gentoo.org/740108
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Signed-off-by: Anthony G. Basile <blueness@gentoo.org>

 net-libs/mbedtls/Manifest                 |  2 -
 net-libs/mbedtls/mbedtls-2.16.7-r1.ebuild | 94 -------------------------------
 net-libs/mbedtls/mbedtls-2.23.0-r1.ebuild | 94 -------------------------------
 3 files changed, 190 deletions(-)
Comment 12 Anthony Basile gentoo-dev 2020-10-31 12:08:52 UTC
(In reply to Larry the Git Cow from comment #11)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=a1bdf75cfef9f25bf8ee50237a5620c5a0ec0a84
> 
> commit a1bdf75cfef9f25bf8ee50237a5620c5a0ec0a84
> Author:     John Helmert III <jchelmert3@posteo.net>
> AuthorDate: 2020-10-30 15:29:24 +0000
> Commit:     Anthony G. Basile <blueness@gentoo.org>
> CommitDate: 2020-10-31 12:07:03 +0000
> 
>     net-libs/mbedtls: security cleanup
>     
>     Bug: https://bugs.gentoo.org/740108
>     Package-Manager: Portage-3.0.8, Repoman-3.0.2
>     Signed-off-by: John Helmert III <jchelmert3@posteo.net>
>     Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
> 
>  net-libs/mbedtls/Manifest                 |  2 -
>  net-libs/mbedtls/mbedtls-2.16.7-r1.ebuild | 94
> -------------------------------
>  net-libs/mbedtls/mbedtls-2.23.0-r1.ebuild | 94
> -------------------------------
>  3 files changed, 190 deletions(-)

Thanks for the reminder.
Comment 13 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-11-01 23:02:47 UTC
(In reply to Anthony Basile from comment #12)
> (In reply to Larry the Git Cow from comment #11)
> > The bug has been referenced in the following commit(s):
> > 
> > https://gitweb.gentoo.org/repo/gentoo.git/commit/
> > ?id=a1bdf75cfef9f25bf8ee50237a5620c5a0ec0a84
> > 
> > commit a1bdf75cfef9f25bf8ee50237a5620c5a0ec0a84
> > Author:     John Helmert III <jchelmert3@posteo.net>
> > AuthorDate: 2020-10-30 15:29:24 +0000
> > Commit:     Anthony G. Basile <blueness@gentoo.org>
> > CommitDate: 2020-10-31 12:07:03 +0000
> > 
> >     net-libs/mbedtls: security cleanup
> >     
> >     Bug: https://bugs.gentoo.org/740108
> >     Package-Manager: Portage-3.0.8, Repoman-3.0.2
> >     Signed-off-by: John Helmert III <jchelmert3@posteo.net>
> >     Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
> > 
> >  net-libs/mbedtls/Manifest                 |  2 -
> >  net-libs/mbedtls/mbedtls-2.16.7-r1.ebuild | 94
> > -------------------------------
> >  net-libs/mbedtls/mbedtls-2.23.0-r1.ebuild | 94
> > -------------------------------
> >  3 files changed, 190 deletions(-)
> 
> Thanks for the reminder.

Thanks for merging!
Comment 14 NATTkA bot gentoo-dev 2020-11-01 23:04:52 UTC Comment hidden (obsolete)
Comment 15 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-18 21:24:30 UTC
(In reply to Sam James from comment #0)
> * CVE-2020-16150 (Local side channel attack on classical CBC decryption in
> (D)TLS)
> 
> Description:
> "An local attacker with access to enough information about the state of the
> cache (including, but not limited to, an untrusted operating system
> attacking a secure enclave such as SGX or the TrustZone secure world) can
> recover portions of the plaintext of a (D)TLS record."
> 
> Fixed versions: "Affected users will want to upgrade to Mbed TLS 2.24.0,
> 2.16.8 or 2.7.17 depending on the branch they're currently using."
> 
> Advisory:
> https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-
> advisory-2020-09-1
> 
> * Local side channel attack on RSA and static Diffie-Hellman
> 
> Description:
> "An attacker with access to precise enough timing and memory access
> information (typically an untrusted operating system attacking a secure
> enclave such as SGX or the TrustZone secure world) can recover the private
> keys used in RSA or static (finite-field) Diffie-Hellman operations."
> 
> Fixed versions: "Affected users will want to upgrade to Mbed TLS 2.24.0,
> 2.16.8 or 2.7.17 depending on the branch they're currently using."
> 
> Advisory:
> https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-
> advisory-2020-09-2

Requested a CVE for the non-CVE'd vulnerability here, as well as these two issues in the changelogs:

When checking X.509 CRLs, a certificate was only considered as revoked if its revocationDate was in the past according to the local clock if available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE, certificates were never considered as revoked. On builds with MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for example, an untrusted OS attacking a secure enclave) could prevent revocation of certificates via CRLs. Fixed by no longer checking the revocationDate field, in accordance with RFC 5280. Reported by yuemonangong in #3340. Reported independently and fixed by Raoul Strackx and Jethro Beekman in #3433.

Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der(). Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine for pinpointing the problematic code.
Comment 16 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-19 15:31:08 UTC
(In reply to John Helmert III from comment #15)
> (In reply to Sam James from comment #0) 
> > * Local side channel attack on RSA and static Diffie-Hellman
> > 
> > Description:
> > "An attacker with access to precise enough timing and memory access
> > information (typically an untrusted operating system attacking a secure
> > enclave such as SGX or the TrustZone secure world) can recover the private
> > keys used in RSA or static (finite-field) Diffie-Hellman operations."
> > 
> > Fixed versions: "Affected users will want to upgrade to Mbed TLS 2.24.0,
> > 2.16.8 or 2.7.17 depending on the branch they're currently using."
> > 
> > Advisory:
> > https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-
> > advisory-2020-09-2
> 
> Requested a CVE for the non-CVE'd vulnerability here...

CVE-2020-36424

> as well as these two
> issues in the changelogs:
> 
> When checking X.509 CRLs, a certificate was only considered as revoked if
> its revocationDate was in the past according to the local clock if
> available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE,
> certificates were never considered as revoked. On builds with
> MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for
> example, an untrusted OS attacking a secure enclave) could prevent
> revocation of certificates via CRLs. Fixed by no longer checking the
> revocationDate field, in accordance with RFC 5280. Reported by yuemonangong
> in #3340. Reported independently and fixed by Raoul Strackx and Jethro
> Beekman in #3433.

CVE-2020-36425

> Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der(). Credit to
> OSS-Fuzz for detecting the problem and to Philippe Antoine for pinpointing
> the problematic code.

CVE-2020-36426
Comment 17 NATTkA bot gentoo-dev 2021-07-29 17:26:01 UTC
Package list is empty or all packages have requested keywords.
Comment 18 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-25 02:30:17 UTC
CVE-2020-36477:

An issue was discovered in Mbed TLS before 2.24.0. The verification of X.509 certificates when matching the expected common name (the cn argument of mbedtls_x509_crt_verify) with the actual certificate name is mishandled: when the subjecAltName extension is present, the expected name is compared to any name in that extension regardless of its type. This means that an attacker could impersonate a 4-byte or 16-byte domain by getting a certificate for the corresponding IPv4 or IPv6 address (this would require the attacker to control that IP address, though).

CVE-2020-36476:

An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 LTS and before 2.7.17 LTS). There is missing zeroization of plaintext buffers in mbedtls_ssl_read to erase unused application data from memory.
Comment 19 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-22 23:47:10 UTC
GLSA request filed.
Comment 20 Larry the Git Cow gentoo-dev 2023-01-11 05:22:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=f524f5fa47d9d739280d4530623a93084918da39

commit f524f5fa47d9d739280d4530623a93084918da39
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-01-11 05:19:06 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-01-11 05:22:06 +0000

    [ GLSA 202301-08 ] Mbed TLS: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/730752
    Bug: https://bugs.gentoo.org/740108
    Bug: https://bugs.gentoo.org/764317
    Bug: https://bugs.gentoo.org/778254
    Bug: https://bugs.gentoo.org/801376
    Bug: https://bugs.gentoo.org/829660
    Bug: https://bugs.gentoo.org/857813
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202301-08.xml | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)
Comment 21 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-11 05:24:46 UTC
GLSA released, all done!