FreeBSD : mbed TLS (PolarSSL) -- remote code execution (c2f107e1-2493-11e8-b3e8-001cc0382b2f)

critical Nessus Plugin ID 107283

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Simon Butcher reports :

- When the truncated HMAC extension is enabled and CBC is used, sending a malicious application packet can be used to selectively corrupt 6 bytes on the peer's heap, potentially leading to a crash or remote code execution. This can be triggered remotely from either side in both TLS and DTLS.

- When RSASSA-PSS signature verification is enabled, sending a maliciously constructed certificate chain can be used to cause a buffer overflow on the peer's stack, potentially leading to crash or remote code execution. This can be triggered remotely from either side in both TLS and DTLS.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?c5679f5d

http://www.nessus.org/u?3d12502e

Plugin Details

Severity: Critical

ID: 107283

File Name: freebsd_pkg_c2f107e1249311e8b3e8001cc0382b2f.nasl

Version: 1.3

Type: local

Published: 3/12/2018

Updated: 11/10/2018

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:mbedtls, p-cpe:/a:freebsd:freebsd:polarssl13, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 3/10/2018

Vulnerability Publication Date: 2/5/2018

Reference Information

CVE: CVE-2018-0487, CVE-2018-0488