Mbed TLS is now part of TrustedFirmware.org.

CVE-2018-0487 and how to trigger it


Feb 7, 2018 08:18
Trinity

Hi Ron, we're using a slightly modified version of mbedtls-2.6.0 RSA-PSS signature verification inside a sensitive part of SoC. Could you elaborate for what hash <--> key-size combinations this vulnerability / buffer overflow is triggered?

 
Feb 22, 2018 10:16
Trinity

Any updates yet ... ?

 
Feb 22, 2018 13:17
Gilles Peskine

Hi trinity,

This advisory covers three bugs in RSAPSS verification.

The first bug (fix and non-regression test in 28a0c727957990ac655cbe40c7eb20b7ef01167d) affects RSAPSS verification with an n-bit hash when the size of the key is ≤n+9 (so ≤521, so it doesn't affect any decent key size). The second bug (fix and non-regression test in 6a54b0240dea904b5a823b2b1e01b97c37ac2e8f) affects keys of any size. The third bug b00b0da45227dface23f1d1da2e28a0165d13313 causes some invalid signatures to be accepted (but not signatures generated without knowing the private key).

The first bug can be triggered without the private key. The second and third can't. So how severe this is for you depends on whether you verify against trusted public keys or against adversary-supplied public keys. For TLS (or more generally certificate verification) where you only control the top of the certificate chain, or for a cryptoprocessor that receives external requests, this is a major vulnerability. If the adversary can't provide their own public key (only the signature to be checked) then the code in Mbed TLS 2.6 is safe.