Mbed TLS version 2.14.1 has now been released, in addition to maintenance releases for Mbed TLS 2.7 and Mbed TLS 2.1.
These releases address two security issues, one of which we are issuing Security Advisory 18-03 for. Mbed TLS 2.7.8 and 2.1.17 are maintenance releases, and intentionally do not contain new features to avoid changing the library interface and allow users to change library versions easily.
- (2.14.1, 2.7.8, 2.1.17) Fixes timing variations and memory access variations in RSA PKCS#1 v1.5 decryption that could lead to a Bleichenbacher-style padding oracle attack. In TLS, this affects servers that accept ciphersuites based on RSA decryption (i.e. ciphersuites whose name contains RSA but not (EC)DH(E)). The issue was first discovered and raised by Eyal Ronen - Weizmann Institute, Robert Gillham - University of Adelaide, Daniel Genkin - University of Michigan, Adi Shamir - Weizmann Institute, David Wong - NCC Group, and Yuval Yarom - University of Adelaide and Data61. The attack is described in more detail in the paper, The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations. This issue has been allocated CVE-2018-19608.
- (2.14.1, 2.7.8, 2.1.17) Now wipes sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG modules.
- (2.14.1, 2.7.8) The new functions
mbedtls_hmac_drbg_update_ret()are similar to
mbedtls_hmac_drbg_update()respectively, but the new functions report errors whereas the old functions return void. We recommend that applications use the new functions.
Who should update
We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.
End of life for Mbed TLS 2.1
Mbed TLS 2.1.0 was first shipped on 4th September 2015, and is nearing the end of its life. All users of Mbed TLS 2.1 are advised to upgrade to a later version of Mbed TLS wherever possible. There will be no further releases of Mbed TLS 2.1 after 2018. The latest long-term support branch is Mbed TLS 2.7.
Get your copy here:
The hashes for mbedtls-2.14.1-apache.tgz are:
SHA-1: ba0be2b8155710ef1da3ea5a05a4823812a50eed SHA-256: f189cbd58c9b1933e4e4460b592664447f3694ad2de882a1332d177e8eedc61d
The hashes for mbedtls-2.14.1-gpl.tgz are:
SHA-1: 07be3241b593b08d4a4bd79afe1ef301b275f529 SHA-256: baa1121952786f5b2c66c52226a8ca0e05126de920d1756266551df677915b7e
The hashes for mbedtls-2.7.8-apache.tgz are:
SHA-1: bdbb278d15625809eef29f6c46bc6660649428f3 SHA-256: c241b59e9a1013d7e8b6c4ddf45d8ea5345a027b7133a38a2b193e5cad72480e
The hashes for mbedtls-2.7.8-gpl.tgz are:
SHA-1: a9db53b3f0274e08c633ba9bcfe564c6add5fb10 SHA-256: 5536ef6416b229706ed2061b964fc8b14e2c129954add4b5155adb78f7f1b6f3
The hashes for mbedtls-2.1.17-apache.tgz are:
SHA-1: ec5cb552ab69f699a7878d12d43b2e033f682c60 SHA-256: a37a96d18b3958e9e1269865adacd56c50975a42bb5d40468fe78bc8e975e501
The hashes for mbedtls-2.1.17-gpl.tgz are:
SHA-1: d3e0036932337bdb2a1f1f1d037f1cece23c8053 SHA-256: fdc21b405c8cc721a5c31bd319b7406155ad1c4f642d0a261cc19d9f1a4a6aa3