Detections
Analytics

FreeBSD : mbed TLS (PolarSSL) -- multiple vulnerabilities (f41e3e54-076b-11e7-a9f2-0011d823eebd)

high Nessus Plugin ID 97691

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Janos Follath reports :

- If a malicious peer supplies a certificate with a specially crafted secp224k1 public key, then an attacker can cause the server or client to attempt to free block of memory held on stack. Depending on the platform, this could result in a Denial of Service (client crash) or potentially could be exploited to allow remote code execution with the same privileges as the host application.

- If the client and the server both support MD5 and the client can be tricked to authenticate to a malicious server, then the malicious server can impersonate the client. To launch this man in the middle attack, the adversary has to compute a chosen-prefix MD5 collision in real time. This is very expensive computationally, but can be practical. Depending on the platform, this could result in a Denial of Service (client crash) or potentially could be exploited to allow remote code execution with the same privileges as the host application.

- A bug in the logic of the parsing of a PEM encoded Certificate Revocation List in mbedtls_x509_crl_parse() can result in an infinite loop. In versions before 1.3.10 the same bug results in an infinite recursion stack overflow that usually crashes the application. Methods and means of acquiring the CRLs is not part of the TLS handshake and in the strict TLS setting this vulnerability cannot be triggered remotely. The vulnerability cannot be triggered unless the application explicitly calls mbedtls_x509_crl_parse() or mbedtls_x509_crl_parse_file()on a PEM formatted CRL of untrusted origin. In which case the vulnerability can be exploited to launch a denial of service attack against the application.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?a5dfef80

http://www.nessus.org/u?47f9f291

Plugin Details

Severity: High

ID: 97691

File Name: freebsd_pkg_f41e3e54076b11e7a9f20011d823eebd.nasl

Version: 3.4

Type: local

Published: 3/13/2017

Updated: 1/4/2021

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:mbedtls, p-cpe:/a:freebsd:freebsd:polarssl13, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 3/12/2017

Vulnerability Publication Date: 3/11/2017