Bug 1691529 (CVE-2019-11840)

Summary: CVE-2019-11840 golang-googlecode-go-crypto: Keystream loop in amd64 assembly when overflowing 32-bit counter
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahardin, amurdaca, bbaude, bleanhar, ccoleman, databases-maint, dbecker, dedgar, eparis, fpokorny, go-sig, hchiramm, hhorak, jchaloup, jgoulding, jjoyce, jmulligan, jokerman, jorton, jschluet, kbasil, kramdoss, lhh, lpeer, lsm5, madam, mburns, mchappel, mfojtik, pkubat, rhs-bugs, sankarshan, sclewis, sisharma, slinaber, storage-qa-internal, thrcka, vbatts, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20190320,reported=20190321,source=internet,cvss3=6.5/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N,cwe=CWE-330,fedora-all/golang-googlecode-go-crypto=affected,epel-all/golang-googlecode-go-crypto=affected,rhscl-3/rh-mongodb32-golang-googlecode-go-crypto=wontfix,openstack-15/golang-googlecode-go-crypto=affected,fedora-all/gomtree=affected,openshift-online-3/gomtree=notaffected,rhel-8/gomtree=notaffected,fedora-all/source-to-image=affected,openshift-enterprise-3.10/source-to-image=new,openshift-enterprise-3.11/atomic-openshift=new,openshift-enterprise-4.1/atomic-openshift=new,rhscl-3/rh-mongodb34-mongo-tools=notaffected,rhscl-3/rh-mongodb36-mongo-tools=notaffected,rhscl-3/source-to-image=notaffected,rhel-7/gomtree=notaffected,rhscl-3/rh-mongodb34-mongodb=notaffected,rhscl-3/rh-mongodb36-mongodb=notaffected,rhes-3/heketi=affected
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1691532, 1691533, 1693042, 1713176, 1691530, 1691531, 1694799    
Bug Blocks: 1691535    

Description Pedro Sampaio 2019-03-21 20:17:14 UTC
A flaw was found in  the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.

Upstream patch:

https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d

References:

https://groups.google.com/forum/#!msg/golang-announce/tjyNcJxb2vQ/n0NRBziSCAAJ

Comment 1 Pedro Sampaio 2019-03-21 20:17:38 UTC
Created golang-googlecode-go-crypto tracking bugs for this issue:

Affects: epel-all [bug 1691531]
Affects: fedora-all [bug 1691530]


Created gomtree tracking bugs for this issue:

Affects: fedora-all [bug 1691532]


Created source-to-image tracking bugs for this issue:

Affects: fedora-all [bug 1691533]

Comment 2 Scott Gayou 2019-03-26 18:59:51 UTC
Notes on if gomtree is impacted:

gomtree upstream: https://github.com/vbatts/go-mtree
(gomtree is just the cli output binary, see cmd/gomtree)
gomtree includes nacl box. (https://godoc.org/golang.org/x/crypto/nacl/box)
nacl box includes "golang.org/x/crypto/salsa20/salsa".

Can't find any uses of salsa or box in the actual gomtree source code. Grepping strings in the binary shows no instances of these either. I think the salsa20 is just an artifact.

sals20 was deleted upstream in this commit:

https://github.com/vbatts/go-mtree/commit/94a6c46bde3ce60a3ea448136730e5c331eed85b

I think glide was pulling in all of salsa via this in glide.yaml:

import:
- package: golang.org/x/crypto
  subpackages:
  - ripemd160

Unclear where box was coming from. Nevertheless, I believe gomtree isn't affected.

Comment 4 Scott Gayou 2019-03-27 17:02:02 UTC
Same thing with source-to-image. Salsa20 looks to be a dependency, but I believe that is because it's pulling down x/crypto again.

```
- package: golang.org/x/crypto
  version: 81e90905daefcd6fd217b62423c0908922eadb30
```

I didn't find any usages of it in the code after a quick glance.

Comment 5 Scott Gayou 2019-03-28 17:24:39 UTC
mongodb 3.4 looks unaffected. crypto lib only appears to be used in ./common/password/pass_util.go. Godeps pulls down all of crypto to the best of my knowledge.

`golang.org/x/crypto                     1f22c0103821b9390939b6776727195525381532    github.com/golang/crypto`

Comment 6 Scott Gayou 2019-03-28 17:30:23 UTC
Same result for mongodb 3.6.3

Comment 7 Scott Gayou 2019-03-28 18:16:22 UTC
Same result for mongo-tools. Pulls down crypto deps, doesn't appear to make use of salsa20.