Bug 1194371 – CVE-2015-0282 gnutls: RSA PKCS#1 signature verification forgery

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1194371 - (CVE-2015-0282) CVE-2015-0282 gnutls: RSA PKCS#1 signature verification forgery

Summary:	CVE-2015-0282 gnutls: RSA PKCS#1 signature verification forgery

Status:	CLOSED ERRATA

Aliases:	CVE-2015-0282

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20150311,repor...
Keywords:	Security

Depends On:	1198159 1205501 1205502
Blocks:	1194368
	Show dependency tree / graph

Reported:	2015-02-19 11:41 EST by Vasyl Kaigorodov
Modified:	2016-01-21 05:17 EST (History)
CC List:	19 users (show)

See Also:
Fixed In Version:	GnuTLS 3.1.0
Doc Type:	Bug Fix
Doc Text:	It was found that GnuTLS did not verify whether a hashing algorithm listed in a signature matched the hashing algorithm listed in the certificate. An attacker could create a certificate that used a different hashing algorithm than it claimed, possibly causing GnuTLS to use an insecure, disallowed hashing algorithm during certificate verification.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-07-22 13:46:16 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Proposed patch for 2.8.5 (8.68 KB, patch) 2015-03-03 08:59 EST, Nikos Mavrogiannopoulos	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1457	normal	SHIPPED_LIVE	Moderate: gnutls security and bug fix update	2015-07-21 10:15:08 EDT

Groups: None (edit)

Description Vasyl Kaigorodov 2015-02-19 11:41:22 EST

It was reported that gnutls in RHEL 6 and 5 has a flaw which could lead
to an RSA PKCS#1 signature verification forgery. That is, gnutls doesn't
verify the match of the hash algorithm listed in signature with the
algorithm listed in the certificate, and that could allow a certificate
to be signed with MD5 even when the algorithm is prohibited. This issue
was fixed in gnutls 3.1.0.

Comment 4 Nikos Mavrogiannopoulos 2015-03-03 08:59:40 EST

Created attachment 997548 [details]
Proposed patch for 2.8.5

Comment 5 Martin Prpič 2015-03-11 08:19:59 EDT

Public via:

http://www.gnutls.org/security.html#GNUTLS-SA-2015-1

Comment 6 Vasyl Kaigorodov 2015-03-16 12:48:34 EDT

Acknowledgment:

This issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team.

Comment 7 Raphaël Hertzog 2015-03-23 13:07:06 EDT

Nikos, I used your patch to on top of gnutls2.8.6-1+squeeze4 (for Debian LTS support) but it doesn't seem to be fully working yet. At least I can't get the test case to succeed:
https://gitlab.com/gnutls/gnutls/commit/58d7dde8a8a6fce1a8aa9aeb29f2247212fe5acd

Before the patch, I get this:
$ certtool -e --infile /tmp/invalid-sig.pem 
Certificate[0]: CN=Different sig in PKCS #1
	Issued by: CN=GnuTLS Test CA
	Verifying against certificate[1].
	Verification output: Verified.

Certificate[1]: CN=GnuTLS Test CA
	Issued by: CN=GnuTLS Test CA
	Verification output: Verified.

Chain verification output: Verified.

After the patch I get this:
$ certtool -e --infile /tmp/invalid-sig.pem 
Certificate[0]: CN=Different sig in PKCS #1
	Issued by: CN=GnuTLS Test CA
	Verifying against certificate[1].
	Verification output: Not verified.

Certificate[1]: CN=GnuTLS Test CA
	Issued by: CN=GnuTLS Test CA
	Verification output: Verified.

Chain verification output: Not verified.
$ echo $?
0

So the certificate is (as expected) not verified but this doesn't result in an error at the certtool level. Maybe it's just a bug in the old version of certtool... but I thought that it was worth pointing out.

Comment 8 Nikos Mavrogiannopoulos 2015-03-24 03:13:26 EDT

(In reply to Raphaël Hertzog from comment #7)

> Chain verification output: Not verified.
> $ echo $?
> 0
> So the certificate is (as expected) not verified but this doesn't result in
> an error at the certtool level. Maybe it's just a bug in the old version of
> certtool... but I thought that it was worth pointing out.

Indeed, certtool in 2.8.6 doesn't exit with error code on verification errors.

Comment 9 Huzaifa S. Sidhpurwala 2015-03-25 00:42:02 EDT

Statement:

This issue did not affect the version of gnutls package as shipped with Red Hat Enterprise Linux 7.

This issue affects the version of gnutls package as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Extended Life Cycle phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 11 errata-xmlrpc 2015-07-22 02:02:30 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1457 https://rhn.redhat.com/errata/RHSA-2015-1457.html

Note You need to log in before you can comment on or make changes to this bug.