SB2018042302 - Gentoo update for mbed TLS 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018042302

SB2018042302 - Gentoo update for mbed TLS

Published: April 23, 2018

Security Bulletin ID SB2018042302
Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Security restrictions bypass (CVE-ID: CVE-2017-18187)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to integer overflow in PSK identity parsing in the ssl_parse_client_psk_identity() function in library/ssl_srv.c. A remote attacker can trigger memory corruption and bypass bounds-check.

2) Buffer overflow (CVE-ID: CVE-2018-0487)

The vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the target system.

The weakness exists due to improper validation of Rivest-Shamir-Adleman Probabilistic Signature Scheme (RSASSA-PSS) signatures. A remote attacker can send a specially crafted certificate chain, which the affected software can mishandle during RSASSA-PSS signature verification, trigger buffer overflow and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

3) Remote code execution (CVE-ID: CVE-2018-0488)

The vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the target system.

The weakness exists due to improper processing of crafted packets when using the truncated HMAC extension and CBC. A remote attacker can send a specially crafted input and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Install update from vendor's website.

References