Bug 1194371 (CVE-2015-0282)

Summary: CVE-2015-0282 gnutls: RSA PKCS#1 signature verification forgery
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acathrow, alonbl, bazulay, bmcclain, carnil, cfergeau, dblechte, ecohen, gklein, idith, iheim, jrusnack, lsurette, michal.skrivanek, nmavrogi, raphael, rbalakri, security-response-team, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: GnuTLS 3.1.0 Doc Type: Bug Fix
Doc Text:
It was found that GnuTLS did not verify whether a hashing algorithm listed in a signature matched the hashing algorithm listed in the certificate. An attacker could create a certificate that used a different hashing algorithm than it claimed, possibly causing GnuTLS to use an insecure, disallowed hashing algorithm during certificate verification.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-22 17:46:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1198159, 1205501, 1205502    
Bug Blocks: 1194368    
Attachments:
Description Flags
Proposed patch for 2.8.5 none

Description Vasyl Kaigorodov 2015-02-19 16:41:22 UTC 
It was reported that gnutls in RHEL 6 and 5 has a flaw which could lead
to an RSA PKCS#1 signature verification forgery. That is, gnutls doesn't
verify the match of the hash algorithm listed in signature with the
algorithm listed in the certificate, and that could allow a certificate
to be signed with MD5 even when the algorithm is prohibited. This issue
was fixed in gnutls 3.1.0.
Comment 4 Nikos Mavrogiannopoulos 2015-03-03 13:59:40 UTC 
Created attachment 997548 [details]
Proposed patch for 2.8.5
Comment 5 Martin Prpič 2015-03-11 12:19:59 UTC 
Public via:

http://www.gnutls.org/security.html#GNUTLS-SA-2015-1
Comment 6 Vasyl Kaigorodov 2015-03-16 16:48:34 UTC 
Acknowledgment:

This issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team.
Comment 7 Raphaël Hertzog 2015-03-23 17:07:06 UTC 
Nikos, I used your patch to on top of gnutls2.8.6-1+squeeze4 (for Debian LTS support) but it doesn't seem to be fully working yet. At least I can't get the test case to succeed:
https://gitlab.com/gnutls/gnutls/commit/58d7dde8a8a6fce1a8aa9aeb29f2247212fe5acd

Before the patch, I get this:
$ certtool -e --infile /tmp/invalid-sig.pem 
Certificate[0]: CN=Different sig in PKCS #1
	Issued by: CN=GnuTLS Test CA
	Verifying against certificate[1].
	Verification output: Verified.

Certificate[1]: CN=GnuTLS Test CA
	Issued by: CN=GnuTLS Test CA
	Verification output: Verified.

Chain verification output: Verified.

After the patch I get this:
$ certtool -e --infile /tmp/invalid-sig.pem 
Certificate[0]: CN=Different sig in PKCS #1
	Issued by: CN=GnuTLS Test CA
	Verifying against certificate[1].
	Verification output: Not verified.

Certificate[1]: CN=GnuTLS Test CA
	Issued by: CN=GnuTLS Test CA
	Verification output: Verified.

Chain verification output: Not verified.
$ echo $?
0

So the certificate is (as expected) not verified but this doesn't result in an error at the certtool level. Maybe it's just a bug in the old version of certtool... but I thought that it was worth pointing out.
Comment 8 Nikos Mavrogiannopoulos 2015-03-24 07:13:26 UTC 
(In reply to Raphaël Hertzog from comment #7)

> Chain verification output: Not verified.
> $ echo $?
> 0
> So the certificate is (as expected) not verified but this doesn't result in
> an error at the certtool level. Maybe it's just a bug in the old version of
> certtool... but I thought that it was worth pointing out.

Indeed, certtool in 2.8.6 doesn't exit with error code on verification errors.
Comment 9 Huzaifa S. Sidhpurwala 2015-03-25 04:42:02 UTC 
Statement:

This issue did not affect the version of gnutls package as shipped with Red Hat Enterprise Linux 7.

This issue affects the version of gnutls package as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Extended Life Cycle phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 11 errata-xmlrpc 2015-07-22 06:02:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1457 https://rhn.redhat.com/errata/RHSA-2015-1457.html