From: Steffan Karger Date: Mon, 19 Jun 2017 09:28:36 +0000 (+0200) Subject: mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522) X-Git-Tag: v2.4.3~7 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=67edada0beaf5ce6e47f13526b9f678dad4fc126;p=thirdparty%2Fopenvpn.git mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522) asn1_buf_to_c_string() returned a literal string if the input ASN.1 string contained a NUL character, while the caller expects a mutable string. The caller will attempt to change this string, which allows a client to crash a server by sending a certificate with an embedded NUL character. (The other way around is not interesting, as servers are allowed to stop a client by design.) Impact analysis: * applies to mbedtls builds only * introduced in 2.4 (so 2.3 is not affected) * can only be exploited if the --x509-track option is used * requires the CA to sign a certificate with an embedded NUL in the certificate subject This bug was discovered and reported to the OpenVPN security team by Guido Vranken. CVE: 2017-7522 Signed-off-by: Steffan Karger Acked-by: Gert Doering Message-Id: <1497864520-12219-2-git-send-email-steffan.karger@fox-it.com> URL: https://www.mail-archive.com/search?l=mid&q=1497864520-12219-2-git-send-email-steffan.karger@fox-it.com Signed-off-by: Gert Doering (cherry picked from commit 426392940c7060300a10077c389f5156c790c2f6) --- diff --git a/Changes.rst b/Changes.rst index 94cba0703..f1aed2d8b 100644 --- a/Changes.rst +++ b/Changes.rst @@ -306,6 +306,14 @@ Maintainer-visible changes Version 2.4.3 ============= +Security +-------- +- CVE-2017-7522: Fix --x509-track post-authentication remote DoS + A client could crash a 2.4+ mbedtls server, if that server uses the + --x509-track option and the client has a correct, signed and unrevoked + certificate that contains an embedded NUL in the certificate subject. + Discovered and reported to the OpenVPN security team by Guido Vranken. + User-visible Changes -------------------- - ``--verify-hash`` can now take an optional flag which changes the hashing diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index 2b7056c83..d3b36dcb1 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -271,7 +271,7 @@ asn1_buf_to_c_string(const mbedtls_asn1_buf *orig, struct gc_arena *gc) { if (orig->p[i] == '\0') { - return "ERROR: embedded null value"; + return string_alloc("ERROR: embedded null value", gc); } } val = gc_malloc(orig->len+1, false, gc);