Bug 2228743 (CVE-2023-29409)

Summary: CVE-2023-29409 golang: crypto/tls: slow verification of certificate chains containing large RSA keys
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abishop, adudiak, aileenc, amasferr, amctagga, ansmith, aoconnor, apjagtap, asatyam, asm, aveerama, bbaude, bbuckingham, bcl, bcourt, bdettelb, bniver, bodavis, cdaley, chazlett, davidn, dbenoit, dcadzow, debarshir, desktop-qa-list, dfreiber, diagrawa, dkenigsb, dperaza, dsimansk, dwalsh, dymurray, eaguilar, ebaron, eglynn, ehelms, ellin, emachado, epacific, eric.wittmann, fdeutsch, flucifre, gmeno, gparvin, ibolton, jaharrin, janstey, jburrell, jcammara, jcantril, jchui, jeder, jhardy, jjoyce, jkang, jkoehler, jkurik, jligon, jmatthew, jmontleo, jneedle, jnovy, jobarker, jpallich, jschluet, jsherril, jwendell, kaycoth, kshier, lball, lhh, lmadsen, lsm5, lzap, mabashia, matzew, mbenjamin, mboddu, mburns, mcressma, mgarciac, mhackett, mheon, mhulan, mkudlej, mmagr, mnewsome, mrunge, mwringe, myarboro, nathans, nboldt, njean, nmontero, nmoumoul, nobody, opohorel, orabin, oramraz, osapryki, osbuilders, owatkins, pahickey, pantinor, pcpbot, pcreech, peholase, pehunt, periklis, pgrist, pjindal, pthomas, rcernich, rchan, rgarg, rhcos-sst, rhos-maint, rhuss, rjohnson, rogbas, saroy, scorneli, scox, sfroberg, sgott, shbose, simaishi, sipoyare, skontopo, slucidi, smcdonal, smullick, sostapov, spandura, sseago, stcannon, teagle, tfister, tjochec, tstellar, tsweeney, twalsh, ubhargav, vereddy, vkumar, whayutin, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Go 1.20.7, Go 1.19.12 Doc Type: If docs needed, set a value
Doc Text:
A denial of service vulnerability was found in the Golang Go package caused by an uncontrolled resource consumption flaw. By persuading a victim to use a specially crafted certificate with large RSA keys, a remote attacker can cause a client/server to expend significant CPU time verifying signatures, resulting in a denial of service condition.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2228829, 2228830, 2228831, 2228832, 2228833, 2228836, 2228837, 2228838, 2228839, 2228840, 2228842, 2228843, 2228844, 2229061, 2229062, 2229063, 2229064, 2229065, 2229066, 2229067, 2229068, 2229069, 2229070, 2229072, 2229073, 2229074, 2229075, 2229076, 2229078, 2229079, 2229081, 2229082, 2229083, 2229084, 2229085, 2229086, 2229087, 2229089, 2229090, 2229091, 2229092, 2229093, 2229094, 2229620, 2229621, 2228834, 2228835, 2229071, 2229077, 2229080, 2229088, 2230278    
Bug Blocks: 2228694    

Description Avinash Hanwate 2023-08-03 07:10:56 UTC 
Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.

https://go.dev/cl/515257
https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI/m/Efv5DbZ9AwAJ
https://pkg.go.dev/vuln/GO-2023-1987
https://go.dev/issue/61460
Comment 6 Avinash Hanwate 2023-08-07 06:07:00 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2229620]
Affects: fedora-all [bug 2229621]
Comment 7 Debarshi Ray 2023-08-07 17:42:48 UTC 
Were the bugs for this CVE created correctly?

I got bugs RHEL 8 bugs for toolbox for both the rolling (bug 2229077) and 4.0 (bug 2229071) module streams, but none for RHEL 9.  In comparison, I found RHEL 9 bugs for podman (bug 2229091) and golang (bug 2229065).

So, it seems like RHEL 9 is affected, but then why is there no RHEL 9 toolbox bug?  There's no difference in toolbox across RHEL 8 and 9 that could be relevant to this CVE.

I have seen this happen a few times recently:
https://bugzilla.redhat.com/show_bug.cgi?id=2196026#c33
https://bugzilla.redhat.com/show_bug.cgi?id=2196027#c45

... and it makes me wonder if there's something wrong with the process that's used to file these bugs.
Comment 9 Avinash Hanwate 2023-08-09 09:03:50 UTC 
In reply to comment #7:
> Were the bugs for this CVE created correctly?
> 
> I got bugs RHEL 8 bugs for toolbox for both the rolling (bug 2229077) and
> 4.0 (bug 2229071) module streams, but none for RHEL 9.  In comparison, I
> found RHEL 9 bugs for podman (bug 2229091) and golang (bug 2229065).
> 
> So, it seems like RHEL 9 is affected, but then why is there no RHEL 9
> toolbox bug?  There's no difference in toolbox across RHEL 8 and 9 that
> could be relevant to this CVE.
> 
> I have seen this happen a few times recently:
> https://bugzilla.redhat.com/show_bug.cgi?id=2196026#c33
> https://bugzilla.redhat.com/show_bug.cgi?id=2196027#c45
> 
> ... and it makes me wonder if there's something wrong with the process
> that's used to file these bugs.
Hi @debarshi, we are working on fixing this issue. I have filed a tracker for rhel-9/toolbox.
Comment 10 Debarshi Ray 2023-08-09 16:05:41 UTC 
(In reply to Avinash Hanwate from comment #9)
> ... we are working on fixing this issue. I have filed a tracker
> for rhel-9/toolbox.

That's fantastic, thanks!