Bug 1602931 (CVE-2018-10903)

Summary: CVE-2018-10903 python-cryptography: GCM tag forgery via truncated tag in finalize_with_tag API
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, bmcclain, cheimes, chrisw, dblechte, dfediuck, eedri, jjoyce, jschluet, kbasil, lhh, lpeer, markmc, mburns, mgoldboi, michal.skrivanek, npmccallum, rbryant, rhos-maint, sbonazzo, sclewis, sherold, slinaber, tdecacqu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-cryptography 2.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:33:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1602932, 1605040, 1605041, 1605042, 1607923    
Bug Blocks: 1602933    

Description Pedro Sampaio 2018-07-18 20:15:40 UTC 
A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.

Upstream patch:

https://github.com/pyca/cryptography/pull/4342/commits/688e0f673bfbf43fa898994326c6877f00ab19ef

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1602752
Comment 4 Joshua Padman 2018-07-20 04:07:29 UTC 
The following OpenStack releases ship the vulnerable library. However, OpenStack does not appear to use the GCM mode.
Red Hat OpenStack 13
Red Hat OpenStack 14
Comment 5 Joshua Padman 2018-07-20 04:11:14 UTC 
Created python-cryptography tracking bugs for this issue:

Affects: openstack-rdo [bug 1605041]
Comment 9 Alan Pevec 2018-07-25 14:41:55 UTC 
(In reply to Pedro Yóssis Silva Barbosa from comment #8)
> RHEL7.5 ships version 1.7.2-2. Thus it is affected.

How come, description says >=1.9.0 and <2.3 ?
Comment 10 Pedro Yóssis Silva Barbosa 2018-07-28 18:37:27 UTC 
Correction: RHEL7.5 ships version 1.7.2-2 and the finalize_with_tag method wasn't implemented in this version. Thus it is NOT affected. I am closing the rhel-7 tracker.
Comment 11 errata-xmlrpc 2018-11-13 22:13:18 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2018:3600 https://access.redhat.com/errata/RHSA-2018:3600