dropbear icon indicating copy to clipboard operation
dropbear copied to clipboard
verified publisher icon mkj

libtomcrypt: fix vulnerability in der_decode_utf8_string CVE-2019-17362

Open ynezz opened this issue 1 year ago • 2 comments

[ cherry pick of upstream commit 64d1153e5a515740ab56f39c46baf4cf6991a9d3 ]

The der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) or read information from other memory locations via carefully crafted DER-encoded data.

To exploit this vulnerability an attacker must be able to provide crafted DER-encoded data to LibTomCrypt (e.g. by importing a X509 certificate). Information disclosure is made possible by a 2-steps attack where the imported data is later somehow re-encoded and sent to the attacker (e.g. import and then export X509 certificate).

Fixes: CVE-2019-17362 References: https://github.com/libtom/libtomcrypt/issues/507

ynezz avatar Aug 21 '24 10:08 ynezz

Dropbear isn't using LTC's DER functions (can confirm by putting #error nope in der_decode_utf8_string). I don't mind cherry picking this in, but I don't think the extra patch on top will be much help if people are trying to determine whether Dropbear is affected by the CVE. Thoughts?

mkj avatar Aug 23 '24 01:08 mkj

tl;dr I would patch it (I proposed patching it in OpenWrt)

Dropbear isn't using LTC's DER functions (can confirm by putting #error nope in der_decode_utf8_string)

Indeed, that was my impression as well while quickly grepping through the source code.

I don't think the extra patch on top will be much help if people are trying to determine whether Dropbear is affected by the CVE.

Well I've noticed this in some downstream fix and simply checked state of this codebase and looked up CVE-2019-17362 in issues/pull requests, but couldn't find anything, thus I've created this pull request. I can imagine, that most of the folks consider this a CVE security theater, but IMO better safe, than sorry.

There are more aspects to consider, like transitive risks in downstream projects, future code changes, security scanners and compliance, project reputation and trust to name a few.

Anyways, I'll leave the decision up to you, good luck! :)

ynezz avatar Aug 23 '24 16:08 ynezz

@mkj: Any progess on it?

Neustradamus avatar Aug 27 '24 04:08 Neustradamus

I don't think merging the unused patch has much benefit in practice, I'll close this. @ynezz thanks for reporting it though, at least now there's a github issue for people to refer to.

Once there's a new upstream release I'll merge that into Dropbear. There won't be a separate Dropbear release for that purpose though.

mkj avatar Aug 27 '24 04:08 mkj

@mkj: I do not understand why it is not possible to currently fix the CVE-2019-17362 and to close all which are refered to. It is normal to keep a CVE in the current code?

Neustradamus avatar Aug 28 '24 02:08 Neustradamus

CVE-2019-17362 is a vulnerability in libtomcrypt but not in Dropbear (or in Dropbear's use of libtomcrypt - the der routines are not used). Changing the unused code in Dropbear's copy of libtomcrypt doesn't change anything functional.

mkj avatar Aug 28 '24 02:08 mkj

@mkj, @ynezz: I have informed the @libtom team about the libtomcrypt CVE-2019-17362 which is not fixed:

  • https://github.com/libtom/libtomcrypt/issues/507#issuecomment-2311562811
  • https://github.com/libtom/libtomcrypt/issues/568#issuecomment-2311561500

Hope a new libtomcrypt release build after the current latest release build 1.18.2 (2018-07-02) - 6 years, 2 moths soon.

cc: @kloczek.

Neustradamus avatar Aug 30 '24 04:08 Neustradamus