Mbed TLS 2.7.5
Mbed TLS 2.7.5
Description
Mbed TLS 2.7.5 is a maintenance release, and contains no new features. It addresses some significant security issues and resolves multiple defects. Some of the security issues addressed in this release are also significant and have been assigned the CVE codes, CVE-2018-0497 and CVE-2018-0498 and for which security advisories are being provided.
Security
-
Fixed a vulnerability in the TLS ciphersuites based on use of CBC and SHA-384 in DTLS/TLS 1.0 to 1.2, that allowed an active network attacker to partially recover the plaintext of messages under certains conditions by exploiting timing side-channels. With DTLS, the attacker could perform this recovery by sending many messages in the same connection. With TLS or if
mbedtls_ssl_conf_dtls_badmac_limit()
was used, the attack only worked if the same secret (for example a HTTP cookie) has been repeatedly sent over connections manipulated by the attacker. Connections using GCM or CCM instead of CBC, or using hash sizes other than SHA-384, or using Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was caused by a miscalculation for SHA-384 in a countermeasure to the original Lucky 13 attack. This issue has been allocated CVE-2018-0497. Found by Kenny Paterson, Eyal Ronen and Adi Shamir. -
Fixed a vulnerability in TLS ciphersuites based on CBC, in DTLS/TLS 1.0 to 1.2, that allowed a local attacker, with the ability to execute code on the local machine as well as to manipulate network packets, to partially recover the plaintext of messages under certain conditions by using a cache attack targetting an internal MD/SHA buffer. With TLS or if
mbedtls_ssl_conf_dtls_badmac_limit()
was used, the attack only worked if the same secret (for example a HTTP cookie) has been repeatedly sent over connections manipulated by the attacker. Connections using GCM or CCM instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected. This issue along with the cache side-channel below has been allocated CVE-2018-0498. Found by Kenny Paterson, Eyal Ronen and Adi Shamir. -
Added a counter-measure against a vulnerability in TLS ciphersuites based on CBC, in DTLS/TLS 1.0 to 1.2, that allowed a local attacker with the ability to execute code on the local machine as well as manipulate network packets, to partially recover the plaintext of messages certain conditions (see previous entry) by using a cache attack targeting the SSL input record buffer. Connections using GCM or CCM instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected. This issue along with the cache side-channel above has been allocated CVE-2018-0498. Found by Kenny Paterson, Eyal Ronen and Adi Shamir.
Bugfix
-
Fixed the
key_app_writer
example which was creating an invalid ASN.1 tag by writing an additional leading zero byte. Found by Aryeh R. #1257. -
Fixed a C++ compilation error, caused by a variable named
new
. Found and fixed by Hirotaka Niisato. #1783. -
Clarified documentation for
mbedtls_ssl_write()
to include 0 as a valid return value. Found by @davidwu2000. #839. -
Fixed a memory leak in
mbedtls_x509_csr_parse()
. Found and fixed by catenacyber, Philippe Antoine. #1623. -
Added length checks to some TLS parsing functions. Found and fixed by Philippe Antoine from Catena cyber. #1663.
-
Remove unused headers included in
x509.c
. Found by Chris Hanson and fixed by Brendan Shanks. #992. -
Fixed compilation error when
MBEDTLS_ARC4_C
is disabled andMBEDTLS_CIPHER_NULL_CIPHER
is enabled. Found by TrinityTonic in #1719. -
Fixed the inline assembly for the MPI multiply helper function for i386 and i386 with SSE2. Found by László Langó. #1550.
-
Fixed the namespacing in header files. Remove the
mbedtls
namespacing in the#include
in the header files. #857. -
Fixed a compiler warning of 'use before initialisation' in
mbedtls_pk_parse_key()
. Found by Martin Boye Petersen and fixed by Dawid Drozd.#1098. -
Fixed decryption of zero length messages (which contain all padding) when a CBC based ciphersuite was used together with Encrypt-then-MAC. Previously, such a message was wrongly reported as an invalid record and therefore lead to the connection being terminated. This was seen most often with OpenSSL using TLS 1.0. Reported by @kFYatek and by Conor Murphy on the forum. Fix contributed by Espressif Systems. #1632.
-
Fixed the
ssl_client2
example to send application data with 0-length content when therequest_size
argument is set to 0 as stated in the documentation. #1833. -
Corrected the documentation for
mbedtls_ssl_get_session()
. This API has deep copy of the session, and the peer certificate is not lost. #926.
Changes
-
Fails when receiving a TLS alert message with an invalid length, or invalid zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
-
Change the shebang line in Perl scripts to look up perl in the
PATH
. Contributed by fbrosson.
Who should update
We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.
Users of Mbed TLS 1.3 or any earlier version are recommended to upgrade to one of the maintained releases as Mbed TLS 1.3 has now reached its end-of-life.
End of life for Mbed TLS 2.1
Mbed TLS 2.1.0 was first shipped on 4th September 2015, and is nearing the end of its life. Mbed TLS 2.1 will not be supported after Autumn 2018. All users of Mbed TLS 2.1 are advised to upgrade to a later version of Mbed TLS wherever possible. The latest long-term support branch is Mbed TLS 2.7.