It has been reported that libtomcrypt may be vulnerable to a Bleichenbacher attack due to a vulnerability in rsa_verify_hash.c CERT has provided the details from Intel Security Advanced Threat Research team. ---------------------------------------------------------------------- Bleichenbacher signature forgery attack in OP-TEE Background The implementation for RSA signature verification of PKCS 1 v1.5 in the Open Portable Trusted Execution Environment (https://github.com/OP-TEE/optee_os) appears to be vulnerable to a Bleichenbacher signature forgery attack. The vulnerability may result in RSA signature or public certificate forgery when a low public exponent (for example, e = 3) is used. Vulnerability The function rsa_verify_hash_ex (https://github.com/OPTEE/optee_os/blob/master/core/lib/libtomcrypt/src/pk/rsa/rsa_verify_hash.c) does not check the number of remaining bytes in the decrypted message after ASN.1 encoded data. The function decodes the ASN.1 message and checks that it has the correct structure and values (OID and hash). This permits additional data after the ASN.1 message that can be used to forge a PKCS1 v1.5 signature for keys with a low public exponent. The original variant of the attack is described here: https://www.ietf.org/mail-archive/web/openpgp/current/msg00999.html ----------------------------------------------------------------------
Created libtomcrypt tracking bugs for this issue: Affects: fedora-all [bug 1370956] Affects: epel-all [bug 1370957]
Upstream fix: https://github.com/OP-TEE/optee_os/commit/30d13250c390c4f56adefdcd3b64b7cc672f9fe2 https://github.com/libtom/libtomcrypt/commit/5eb9743410ce4657e9d54fef26a2ee31a1b5dd09
Acknowledgments: Name: Borja Tarraso (Red Hat)
RHEV should take the pkgs from the base OS - but double checking with PM to be sure before marking this as fixed.