Headline
CVE-2020-36476: Release Mbed TLS 2.16.8 · Mbed-TLS/mbedtls
An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 LTS and before 2.7.17 LTS). There is missing zeroization of plaintext buffers in mbedtls_ssl_read to erase unused application data from memory.
Description
This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues and the most notable of them are described in more detail in the security advisories.
Features
- Support building on e2k (Elbrus) architecture: correctly enable -Wformat-signedness, and fix the code that causes signed-one-bit-field and sign-compare warnings. Contributed by makise-homura (Igor Molchanov) [email protected].
Security
- When checking X.509 CRLs, a certificate was only considered as revoked if its revocationDate was in the past according to the local clock if available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE, certificates were never considered as revoked. On builds with MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for example, an untrusted OS attacking a secure enclave) could prevent revocation of certificates via CRLs. Fixed by no longer checking the revocationDate field, in accordance with RFC 5280. Reported by yuemonangong in #3340. Reported independently and fixed by Raoul Strackx and Jethro Beekman in #3433.
- In (D)TLS record decryption, when using a CBC ciphersuites without the Encrypt-then-Mac extension, use constant code flow memory access patterns to extract and check the MAC. This is an improvement to the existing countermeasure against Lucky 13 attacks. The previous countermeasure was effective against network-based attackers, but less so against local attackers. The new countermeasure defends against local attackers, even if they have access to fine-grained measurements. In particular, this fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler (University of Florida) and Dave Tian (Purdue University).
- Fix side channel in RSA private key operations and static (finite-field) Diffie-Hellman. An adversary with precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could bypass an existing counter-measure (base blinding) and potentially fully recover the private key.
- Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der(). Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine for pinpointing the problematic code.
- Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused application data from memory. Reported in #689 by Johan Uppman Bruce of Sectra.
Bugfix
- Avoid use of statically sized stack buffers for certificate writing. This previously limited the maximum size of DER encoded certificates in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631.
- Reduce the stack consumption of mbedtls_x509write_csr_der() which previously could lead to stack overflow on constrained devices. Contributed by Doru Gucea and Simon Leet in #3464.
- Use arc4random_buf on NetBSD instead of rand implementation with cyclical lower bits. Fix contributed in #3540.
- Fix building library/net_sockets.c and the ssl_mail_client program on NetBSD. NetBSD conditionals were added for the backport to avoid the risk of breaking a platform. Original fix contributed by Nia Alarie in #3422. Adapted for long-term support branch 2.16 in #3558.
- Fix bug in redirection of unit test outputs on platforms where stdout is defined as a macro. First reported in #2311 and fix contributed in #3528. Adopted for LTS branch 2.16 in #3601.
Changes
- Update copyright notices to use Linux Foundation guidance. As a result, the copyright of contributors other than Arm is now acknowledged, and the years of publishing are no longer tracked in the source files. This also eliminates the need for the lines declaring the files to be part of MbedTLS. Fixes #3457.
Who should update
We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.
Checksum
The SHA256 hashes for the archives are:
fe9e3b15c3375943bdfebbbb20dd6b4f1147b3b5d926248bd835d73247407430 mbedtls-2.16.8.tar.gz
a2904aa4f8b23a3e3972f87ff1c7e450a128c38d00ac28ad183296607fe2d9d6 mbedtls-2.16.8.zip
Related news
Gentoo Linux Security Advisory 202301-8 - Multiple vulnerabilities have been discovered in Mbed TLS, the worst of which could result in arbitrary code execution. Versions less than 2.28.1 are affected.
An issue was discovered in Arm Mbed TLS before 2.23.0. A remote attacker can recover plaintext because a certain Lucky 13 countermeasure doesn't properly consider the case of a hardware accelerator.