Maintenance releases for Mbed TLS 2.16 and Mbed TLS 2.7 are now available.
These releases bring fixes for a security issue, as described in more detail in our security advisory.
- (2.16, 2.7) Fix side channel vulnerability in ECDSA. Our bignum implementation is not constant time/constant trace, so side channel attacks can retrieve the blinded value, factor it (as it is smaller than RSA keys and not guaranteed to have only large prime factors), and then, by brute force, recover the key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
- (2.16, 2.7) Zeroize local variables in mbedtls_internal_aes_encrypt() and mbedtls_internal_aes_decrypt() before exiting the function. The value of these variables can be used to recover the last round key. To follow best practice and to limit the impact of buffer overread vulnerabilities (like Heartbleed) we need to zeroize them before exiting the function. Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai, Grant Hernandez, and Kevin Butler (University of Florida) and Dave Tian (Purdue University).
- (2.16, 2.7) Fix side channel vulnerability in ECDSA key generation. Obtaining precise timings on the comparison in the key generation enabled the attacker to learn leading bits of the ephemeral key used during ECDSA signatures and to recover the private key. Reported by Jeremy Dubeuf.
- (2.16, 2.7) Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught failures could happen with alternative implementations of AES. Bug reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri, Sectra.
- (2.16) Remove redundant line for getting the bitlen of a bignum, since the variable holding the returned value is overwritten a line after. Found by irwir in #2377.
- (2.16, 2.7) Support mbedtls_hmac_drbg_set_entropy_len() and mbedtls_ctr_drbg_set_entropy_len() before the DRBG is seeded. Before, the initial seeding always reset the entropy length to the compile-time default.
- (2.16, 2.7) Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx() from the cipher abstraction layer. Fixes #2198.
- (2.16, 2.7) Clarify how the interface of the CTR_DRBG and HMAC modules relates to NIST SP 800-90A. In particular CTR_DRBG requires an explicit nonce to achieve a 256-bit strength if MBEDTLS_ENTROPY_FORCE_SHA256 is set.
Who should update
We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.
The in source version reporting still reports the old version numbers. This is confusing, but does not have any functional impact. To fix this run
./scripts/bump_version.sh --version 2.16.4 or
./scripts/bump_version.sh --version 2.7.13 before compilation.
Get your copy here:
The hashes for mbedtls-2.16.4-apache.tgz are:
SHA-1: e446cbac7d24fc3ff1b1c4ee7c021694ede86db6 SHA-256: 3441f32bda9c8ef58acc9e18028d09eb9c17d199eb27141bec074905152fb2fb
The hashes for mbedtls-2.16.4-gpl.tgz are:
SHA-1: 1bb74beacb786a5228c2ad5417a97aa98d0354eb SHA-256: 5fdb9c43ab43fd9bcc3631508170b089ede7b86dd655253a93cb0ffeb42309f3
The hashes for mbedtls-2.7.13-apache.tgz are:
SHA-1: a539756905c312591aae757ecbf3e0aadc6d1c46 SHA-256: 6772fe21c7755dc513920e84adec629d39188b6451542ebaece428f0eba655c9
The hashes for mbedtls-2.7.13-gpl.tgz are:
SHA-1: 0a93ae80ac904a55106a43a757253d799bb0125f SHA-256: 86f15d6a1fc859fc44340f896f3b59ad37b4e7c432b64ce8925c98d0f034df09