Source: mbedtls
Version: 2.1.2-1
Severity: grave
Tags: security

When the truncated HMAC extension is enabled and CBC is used, sending a
malicious application packet can be used to selectively corrupt 6 bytes
on the peer's heap, potentially leading to a crash or remote code
execution. This can be triggered remotely from either side in both TLS
and DTLS.

If the truncated HMAC extension, which can be set by the compile time
option MBEDTLS_SSL_TRUNCATED_HMAC in config.h, is disabled when
compiling the library, then the vulnerability is not present. The
truncated HMAC extension is enabled in the default configuration.

The vulnerability is only present if
* The compile-time option MBEDTLS_SSL_TRUNCATED_HMAC is set in config.h.
  (It is set by default) AND
* The truncated HMAC extension is explicitly offered by calling
  mbedtls_ssl_conf_truncated_hmac(). (It is not offered by default)

Depending on the platform, an attack exploiting this vulnerability could
lead to an application crash or allow remote code execution.

Affected users should upgrade to Mbed TLS 1.3.22, Mbed TLS 2.1.10 or
Mbed TLS 2.7.0.

Users should wherever possible upgrade to the newer version of Mbed TLS.
Where this is not practical, users should consider disabling the
truncated HMAC extension by removing any call to
mbedtls_ssl_conf_truncated_hmac() in their application, and the option
MBEDTLS_SSL_TRUNCATED_HMAC in the Mbed TLS configuration is practical
for their application.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to