Vulnerabilities > CVE-2018-0498

047910
CVSS 4.7 - MEDIUM
Attack vector
LOCAL
Attack complexity
HIGH
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
local
high complexity
arm
debian
nessus

Summary

ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows local users to achieve partial plaintext recovery (for a CBC based ciphersuite) via a cache-based side-channel attack.

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4267-1.NASL
    descriptionIt was discovered that mbedtls has a bounds-check bypass through an integer overflow that can be used by an attacked to execute arbitrary code or cause a denial of service. (CVE-2017-18187) It was discovered that mbedtls has a vulnerability where an attacker could execute arbitrary code or cause a denial of service (buffer overflow) via a crafted certificate chain that is mishandled during RSASSA-PSS signature verification within a TLS or DTLS session. (CVE-2018-0487) It was discovered that mbedtls has a vulnerability where an attacker could execute arbitrary code or cause a denial of service (heap corruption) via a crafted application packet within a TLS or DTLS session. (CVE-2018-0488) It was discovered that mbedtls has a vulnerability that allows remote attackers to achieve partial plaintext recovery (for a CBC based ciphersuite) via a timing-based side-channel attack. (CVE-2018-0497) It was discovered that mbedtls has a vulnerability that allows local users to achieve partial plaintext recovery (for a CBC based ciphersuite) via a cache-based side-channel attack. (CVE-2018-0498). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id133521
    published2020-02-06
    reporterUbuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133521
    titleUbuntu 16.04 LTS : mbedtls vulnerabilities (USN-4267-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-4267-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(133521);
      script_version("1.2");
      script_cvs_date("Date: 2020/02/10");
    
      script_cve_id("CVE-2017-18187", "CVE-2018-0487", "CVE-2018-0488", "CVE-2018-0497", "CVE-2018-0498");
      script_xref(name:"USN", value:"4267-1");
    
      script_name(english:"Ubuntu 16.04 LTS : mbedtls vulnerabilities (USN-4267-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that mbedtls has a bounds-check bypass through an
    integer overflow that can be used by an attacked to execute arbitrary
    code or cause a denial of service. (CVE-2017-18187)
    
    It was discovered that mbedtls has a vulnerability where an attacker
    could execute arbitrary code or cause a denial of service (buffer
    overflow) via a crafted certificate chain that is mishandled during
    RSASSA-PSS signature verification within a TLS or DTLS session.
    (CVE-2018-0487)
    
    It was discovered that mbedtls has a vulnerability where an attacker
    could execute arbitrary code or cause a denial of service (heap
    corruption) via a crafted application packet within a TLS or DTLS
    session. (CVE-2018-0488)
    
    It was discovered that mbedtls has a vulnerability that allows remote
    attackers to achieve partial plaintext recovery (for a CBC based
    ciphersuite) via a timing-based side-channel attack. (CVE-2018-0497)
    
    It was discovered that mbedtls has a vulnerability that allows local
    users to achieve partial plaintext recovery (for a CBC based
    ciphersuite) via a cache-based side-channel attack. (CVE-2018-0498).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/4267-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected libmbedcrypto0, libmbedtls10 and / or
    libmbedx509-0 packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libmbedcrypto0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libmbedtls10");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libmbedx509-0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/02/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.04", pkgname:"libmbedcrypto0", pkgver:"2.2.1-2ubuntu0.3")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"libmbedtls10", pkgver:"2.2.1-2ubuntu0.3")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"libmbedx509-0", pkgver:"2.2.1-2ubuntu0.3")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libmbedcrypto0 / libmbedtls10 / libmbedx509-0");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1518.NASL
    descriptionTwo vulnerabilities were discovered in polarssl, a lightweight crypto and SSL/TLS library (nowadays continued under the name mbedtls) which could result in plain text recovery via side-channel attacks. Two other minor vulnerabilities were discovered in polarssl which could result in arithmetic overflow errors. CVE-2018-0497 As a protection against the Lucky Thirteen attack, the TLS code for CBC decryption in encrypt-then-MAC mode performs extra MAC calculations to compensate for variations in message size due to padding. The amount of extra MAC calculation to perform was based on the assumption that the bulk of the time is spent in processing 64-byte blocks, which is correct for most supported hashes but not for SHA-384. Correct the amount of extra work for SHA-384 (and SHA-512 which is currently not used in TLS, and MD2 although no one should care about that). This is a regression fix for what CVE-2013-0169 had been fixed this. CVE-2018-0498 The basis for the Lucky 13 family of attacks is for an attacker to be able to distinguish between (long) valid TLS-CBC padding and invalid TLS-CBC padding. Since our code sets padlen = 0 for invalid padding, the length of the input to the HMAC function gives information about that. Information about this length (modulo the MD/SHA block size) can be deduced from how much MD/SHA padding (this is distinct from TLS-CBC padding) is used. If MD/SHA padding is read from a (static) buffer, a local attacker could get information about how much is used via a cache attack targeting that buffer. Let
    last seen2020-06-01
    modified2020-06-02
    plugin id117711
    published2018-09-27
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117711
    titleDebian DLA-1518-1 : polarssl security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-1518-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(117711);
      script_version("1.1");
      script_cvs_date("Date: 2018/09/27 11:15:32");
    
      script_cve_id("CVE-2013-0169", "CVE-2018-0497", "CVE-2018-0498", "CVE-2018-9988", "CVE-2018-9989");
      script_bugtraq_id(57778);
    
      script_name(english:"Debian DLA-1518-1 : polarssl security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Two vulnerabilities were discovered in polarssl, a lightweight crypto
    and SSL/TLS library (nowadays continued under the name mbedtls) which
    could result in plain text recovery via side-channel attacks.
    
    Two other minor vulnerabilities were discovered in polarssl which
    could result in arithmetic overflow errors.
    
    CVE-2018-0497
    
    As a protection against the Lucky Thirteen attack, the TLS code for
    CBC decryption in encrypt-then-MAC mode performs extra MAC
    calculations to compensate for variations in message size due to
    padding. The amount of extra MAC calculation to perform was based on
    the assumption that the bulk of the time is spent in processing
    64-byte blocks, which is correct for most supported hashes but not for
    SHA-384. Correct the amount of extra work for SHA-384 (and SHA-512
    which is currently not used in TLS, and MD2 although no one should
    care about that).
    
    This is a regression fix for what CVE-2013-0169 had been
    fixed this.
    
    CVE-2018-0498
    
    The basis for the Lucky 13 family of attacks is for an attacker to be
    able to distinguish between (long) valid TLS-CBC padding and invalid
    TLS-CBC padding. Since our code sets padlen = 0 for invalid padding,
    the length of the input to the HMAC function gives information about
    that.
    
    Information about this length (modulo the MD/SHA block size)
    can be deduced from how much MD/SHA padding (this is
    distinct from TLS-CBC padding) is used. If MD/SHA padding is
    read from a (static) buffer, a local attacker could get
    information about how much is used via a cache attack
    targeting that buffer.
    
    Let's get rid of this buffer. Now the only buffer used is
    the internal MD/SHA one, which is always read fully by the
    process() function.
    
    CVE-2018-9988
    
    Prevent arithmetic overflow on bounds check and add bound check before
    signature length read in ssl_parse_server_key_exchange().
    
    CVE-2018-9989
    
    Prevent arithmetic overflow on bounds check and add bound check before
    length read in ssl_parse_server_psk_hint()
    
    For Debian 8 'Jessie', these problems have been fixed in version
    1.3.9-2.1+deb8u4.
    
    We recommend that you upgrade your polarssl packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/polarssl"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libpolarssl-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libpolarssl-runtime");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libpolarssl7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/09/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/09/27");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"libpolarssl-dev", reference:"1.3.9-2.1+deb8u4")) flag++;
    if (deb_check(release:"8.0", prefix:"libpolarssl-runtime", reference:"1.3.9-2.1+deb8u4")) flag++;
    if (deb_check(release:"8.0", prefix:"libpolarssl7", reference:"1.3.9-2.1+deb8u4")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_F4876DD49CA811E8AA170011D823EEBD.NASL
    descriptionSimon Butcher reports : - When using a CBC based ciphersuite, a remote attacker can partially recover the plaintext. - When using a CBC based ciphersuite, an attacker with the ability to execute arbitrary code on the machine under attack can partially recover the plaintext by use of cache based side-channels.
    last seen2020-06-01
    modified2020-06-02
    plugin id111659
    published2018-08-13
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111659
    titleFreeBSD : mbed TLS -- plaintext recovery vulnerabilities (f4876dd4-9ca8-11e8-aa17-0011d823eebd)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4296.NASL
    descriptionTwo vulnerabilities were discovered in mbedtls, a lightweight crypto and SSL/TLS library which could result in plain text recovery via side-channel attacks.
    last seen2020-06-01
    modified2020-06-02
    plugin id117506
    published2018-09-17
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117506
    titleDebian DSA-4296-1 : mbedtls - security update