asn1_buf_to_c_string() returned a literal string if the input ASN.1 string
contained a NUL character, while the caller expects a mutable string.
The caller will attempt to change this string, which allows a client to
crash a server by sending a certificate with an embedded NUL character.
(The other way around is not interesting, as servers are allowed to stop
a client by design.)
Impact analysis:
* applies to mbedtls builds only
* introduced in 2.4 (so 2.3 is not affected)
* can only be exploited if the --x509-track option is used
* requires the CA to sign a certificate with an embedded NUL in the
certificate subject
This bug was discovered and reported to the OpenVPN security team by
Guido Vranken.
CVE: 2017-7522
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <
1497864520-12219-2-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/search?l=mid&q=
1497864520-12219-2-git-send-email-steffan.karger@fox-it.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Version 2.4.3
=============
+Security
+--------
+- CVE-2017-7522: Fix --x509-track post-authentication remote DoS
+ A client could crash a 2.4+ mbedtls server, if that server uses the
+ --x509-track option and the client has a correct, signed and unrevoked
+ certificate that contains an embedded NUL in the certificate subject.
+ Discovered and reported to the OpenVPN security team by Guido Vranken.
+
User-visible Changes
--------------------
- ``--verify-hash`` can now take an optional flag which changes the hashing
{
if (orig->p[i] == '\0')
{
- return "ERROR: embedded null value";
+ return string_alloc("ERROR: embedded null value", gc);
}
}
val = gc_malloc(orig->len+1, false, gc);