#VU31777 Code Injection in mbed TLS - CVE-2015-5291

Cybersecurity Help s.r.o.

Published: 2015-11-02 | Updated: 2020-07-23

Vulnerability identifier: #VU31777

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2015-5291

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
mbed TLS
Universal components / Libraries / Libraries used by multiple products

Vendor: ARM

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in a long hostname to the server name indication (SNI) extension, which is not properly handled when creating a ClientHello message. NOTE: this identifier has been SPLIT per ADT3 due to different affected version ranges. See CVE-2015-8036 for the session ticket issue that was introduced in 1.3.0. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation
Update to version 2.1.2.

Vulnerable software versions

mbed TLS: 2.0.0, 2.1.0 - 2.1.1

External links
https://lists.fedoraproject.org/pipermail/package-announce/2015-November/170317.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-October/169625.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-October/169765.html
https://lists.opensuse.org/opensuse-security-announce/2015-12/msg00013.html
https://lists.opensuse.org/opensuse-updates/2015-12/msg00119.html
https://www.debian.org/security/2016/dsa-3468
https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdf
https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/
https://security.gentoo.org/glsa/201706-18
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01