The maintenance releases mbed TLS 2.1.2 and 1.3.14, and PolarSSL 1.2.17, for the 2.x, 1.3 and 1.2 branches have been published.
These releases mainly fix a remotely exploitable vulnerability, as well as other vulnerabilities that are not exploitable remotely, and a few other bugs.
Guido Vranken of Intelworks has found and reported a total of 8 potential vulnerabilities that have been fixed in these releases. The most important issue is detailed in mbed TLS security advisory 2015-01 and can potentially result in a remote code execution if a client connects to a malicious server using ticket-based session resumption.
Other fixes include:
- Potential double-free if
mbedtls_ssl_set_hs_psk()is called more than once in the same handshake and
- Stack buffer overflow in PKCS12 decryption (used by
mbedtls_pk_parse_key(file)()) when the password is > 129 bytes
- Potential buffer overflow in
mbedtls_mpi_read_string(). This is not exploitable remotely in the context of TLS, but it may be in other protocols. On 32 bit machines, this would require reading a string of close to or larger than 1GB of data to exploit; on 64 bit machines, it would require reading a string of close to or larger than 2^62 bytes
- Potential random memory allocation in
mbedtls_pem_read_buffer()on crafted PEM input data. Triggerable remotely if you accept PEM data from an untrusted source
- Potential heap buffer overflow in
base64_encode()when the input buffer is 512MB or larger on 32-bit platforms
- Potential double-free if
mbedtls_conf_psk()is called repeatedly on the same
mbedtls_ssl_configobject and memory allocation fails
- Potential heap buffer overflow in servers that perform client authentication against a crafted CA cert. Cannot be triggered remotely unless you allow third parties to pick trust CAs for client auth
In addition two build errors were fixed: one when building
net.c with the musl C library, the other when building with MSVC in C++ mode.
In addition to checking bounds when writing ClientHello extensions, we now also enforce a limit of 255 bytes (as defined by RFC 1305) on the host name in
Who should update
We recommend all client-side users upgrade.
Alternatively, you should implement the workaround described in mbed TLS security advisory 2015-01 and check if the other vulnerabilities apply to your uses case.
Get your copy here:
The hashes for mbedtls-2.1.2-apache.tgz are:
SHA-1 : c99dfeaa27489f0e74e704e69a181f6ceb3db2a7 SHA-256 : ce57cb9085f976ffde945af7e8cec058a66ad181a96fd228fbcbc485213a7c58
The hashes for mbedtls-2.1.2-gpl.tgz are:
SHA-1 : 44c4b71971a68086bb4d68b82688015812fd3962 SHA-256 : 0dcca471d1f76352af5e26d64880ef6a30963ad6474a78c0d8e7fbb6dd691fa4
The hashes for mbedtls-1.3.14-gpl.tgz are:
SHA-1 : 690ae3cc3da82cfc5530f5cb1f82bec0c778b5dc SHA-256 : be76915bc406b4c4109629624baa5bf610a805d9976404e4086d44e5e6c86ff8
The hashes for polarssl-1.2.17-gpl.tgz are:
SHA-1 : 09c34c5eb1e5e6df565be9fdce0a7bd3e86dd579 SHA-256 : 9301d4ebec3eb45bc9f28f2d79bfdb0c3dd351c386aa6cc66643e1b2be274d52