Bug 1370955 (CVE-2016-6129)

Summary: CVE-2016-6129 libtomcrypt: possible OP-TEE Bleichenbacher attack
Product: [Other] Security Response Reporter: Jeremy Choi <jechoi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bmcclain, dblechte, eedri, mgoldboi, michal.skrivanek, negativo17, pcahyna, sbonazzo, ykaul
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:57:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1370956, 1370957, 1471002    
Bug Blocks: 1460222    

Description Jeremy Choi 2016-08-28 23:50:24 UTC
It has been reported that libtomcrypt may be vulnerable to a Bleichenbacher attack due to a vulnerability in rsa_verify_hash.c

CERT has provided the details from Intel Security Advanced Threat Research team.
 
----------------------------------------------------------------------
Bleichenbacher signature forgery attack in OP-TEE
 
    Background
 
    The implementation for RSA signature verification of PKCS 1 v1.5 in the Open Portable Trusted Execution Environment (https://github.com/OP-TEE/optee_os) appears to be vulnerable to a Bleichenbacher signature forgery attack. The vulnerability may result in RSA signature or public certificate forgery when a low public exponent (for example, e = 3) is used.
 
 
 
    Vulnerability
 
    The function rsa_verify_hash_ex (https://github.com/OPTEE/optee_os/blob/master/core/lib/libtomcrypt/src/pk/rsa/rsa_verify_hash.c) does not check the number of remaining bytes in the decrypted message after ASN.1 encoded data.
 
The function decodes the ASN.1 message and checks that it has the correct structure and values (OID and hash). This permits additional data after the ASN.1 message that can be used to forge a PKCS1 v1.5 signature for keys with a low public exponent. The original variant of the attack is described here: https://www.ietf.org/mail-archive/web/openpgp/current/msg00999.html

----------------------------------------------------------------------

Comment 1 Jeremy Choi 2016-08-28 23:51:15 UTC
Created libtomcrypt tracking bugs for this issue:

Affects: fedora-all [bug 1370956]
Affects: epel-all [bug 1370957]

Comment 3 Borja Tarraso 2017-07-04 14:39:22 UTC
Acknowledgments:

Name: Borja Tarraso (Red Hat)

Comment 4 Borja Tarraso 2017-07-14 09:00:00 UTC
RHEV should take the pkgs from the base OS - but double checking with PM to be sure before marking this as fixed.