PolarSSL is now part of ARM Official announcement and rebranded as mbed TLS.

mbed TLS Security Advisory 2017-01

This Security Advisory describes three vulnerabilities, their impact and fixes for each possible attack.


Title Remote plaintext recovery on use of CBC based ciphersuites
CVE CVE-2018-0497
Date 25th July 2018
Affects All versions of Mbed TLS from version 1.2 upwards, including all 2.1, 2.7 and later releases
Impact Allows a remote attacker to partially recover the plaintext
Severity High
Credit Kenny Paterson, Eyal Ronen and Adi Shamir

Vulnerability

When using a CBC based ciphersuite, an remote attacker can partially recover the plaintext. To be able to mount an attack, the attacker requires the folllowing:

  • to be able to observe and manipulate network packets
  • for TLS, to be able to generate multiple sessions where the same secret is encrypted. For DTLS a single session is sufficient

The attacker can then partially recover the plaintext of messages exploiting timing side-channels. The attack is feasible for all versions of TLS and DTLS, from 1.0 to 1.2.

With DTLS, the attacker can perform the attack by sending many messages across the same connection. With TLS or if mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only works if the same secret (for example a HTTP cookie) has been repeatedly sent over connections manipulated by the attacker.

The vulnerability was caused by a miscalculation for SHA-384 in a countermeasure to the original Lucky 13 attack.

Impact

If the attacker has the advantage of all the conditions of the attack described above, they can potentially at least partially recover the plaintext sent in the connection.

Resolution

Affected users should upgrade to one of the most recent versions of Mbed TLS, includng 2.12.0, 2.7.5 or 2.1.14 or later.

Workaround

Where possible, we recommend all users upgrade to a newer version of Mbed TLS.

If this is not possible, as a workaround, we recommend disable CBC based ciphersuites from your configuration. Connections using GCM or CCM instead of CBC, using hash sizes other than SHA-384, or using Encrypt-then-Mac (RFC 7366) are not affected.


Title Plaintext recovery on use of CBC based ciphersuites through a cache based side-channel
CVE CVE-2018-0498
Date 25th July 2018
Affects All versions of Mbed TLS from version 1.2 upwards, including all 2.1, 2.7 and later releases
Impact Allows partial recovery of the plaintext
Severity High
Credit Kenny Paterson, Eyal Ronen and Adi Shamir

Vulnerability

When using a CBC based ciphersuite, an attacker with the ability to execute arbitrary code on the machine under attack can partially recover the plaintext by use of cache based side-channels. To be able to mount an attack, the attacker requires the folllowing:

  • the ability to execute arbitrary code to the machine under attack
  • to be able to observe and manipulate network packets

The attacker can then partially recover the plaintext of messages exploiting timing side-channels. The attacks are feasible for all versions of TLS and DTLS, from 1.0 to 1.2.

Two attacks are possible - an attack targetting an internal message digest buffer and an attack targeting the TLS input record buffer.

For the first attack, when using DTLS, the attacker can perform the attack by sending many messages across the same connection. With TLS or if mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only works if the same secret (for example a HTTP cookie) has been repeatedly sent over connections manipulated by the attacker.

Impact

If the attacker has the advantage of all the conditions of the attack described above, they can potentially at least partially recover the plaintext sent in the connection.

Resolution

Affected users should upgrade to one of the most recent versions of Mbed TLS, includng 2.12.0, 2.7.5 or 2.1.14 or later.

Workaround

Where possible, we recommend all users upgrade to a newer version of Mbed TLS.

If this is not possible, as a workaround, we recommend disable CBC based ciphersuites from your configuration. Connections using GCM or CCM instead of CBC, using hash sizes other than SHA-384, or using Encrypt-then-Mac (RFC 7366) are not affected.

We also recommend all users ensure any machine or device hosting Mbed TLS is properly secure:

  • Maintain up-to-date systems with the latest security updates from the operating system vendor, and if necessary, any microcode updates issued by the processor vendor.
  • Ensure you follow security best practices and guidelines. For example, do not run any unstrusted software.

Like this?

Section:
Security Advisories

Author:


Published:


Last updated:
Jul 26, 2018

Sharing:


Want to stay up to date?

To sign up for Mbed TLS news, log in to or create an Mbed account and update your marketing preferences.