It has been reported that libtomcrypt may be vulnerable to a Bleichenbacher attack due to a vulnerability in rsa_verify_hash.c
CERT has provided the details from Intel Security Advanced Threat Research team.
----------------------------------------------------------------------
Bleichenbacher signature forgery attack in OP-TEE
Background
The implementation for RSA signature verification of PKCS 1 v1.5 in the Open Portable Trusted Execution Environment (https://github.com/OP-TEE/optee_os) appears to be vulnerable to a Bleichenbacher signature forgery attack. The vulnerability may result in RSA signature or public certificate forgery when a low public exponent (for example, e = 3) is used.
Vulnerability
The function rsa_verify_hash_ex (https://github.com/OPTEE/optee_os/blob/master/core/lib/libtomcrypt/src/pk/rsa/rsa_verify_hash.c) does not check the number of remaining bytes in the decrypted message after ASN.1 encoded data.
The function decodes the ASN.1 message and checks that it has the correct structure and values (OID and hash). This permits additional data after the ASN.1 message that can be used to forge a PKCS1 v1.5 signature for keys with a low public exponent. The original variant of the attack is described here: https://www.ietf.org/mail-archive/web/openpgp/current/msg00999.html
----------------------------------------------------------------------