Bug 1602931 (CVE-2018-10903) - CVE-2018-10903 python-cryptography: GCM tag forgery via truncated tag in finalize_with_tag API
Summary: CVE-2018-10903 python-cryptography: GCM tag forgery via truncated tag in fina...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-10903
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1605041 1602932 1605040 1605042 1607923
Blocks: 1602933
TreeView+ depends on / blocked
 
Reported: 2018-07-18 20:15 UTC by Pedro Sampaio
Modified: 2019-09-29 14:44 UTC (History)
24 users (show)

Fixed In Version: python-cryptography 2.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:33:26 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3600 None None None 2018-11-13 22:13:28 UTC
Github pyca cryptography pull 4342/commits/688e0f673bfbf43fa898994326c6877f00ab19ef None None None 2018-09-28 14:28:05 UTC

Description Pedro Sampaio 2018-07-18 20:15:40 UTC
A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.

Upstream patch:

https://github.com/pyca/cryptography/pull/4342/commits/688e0f673bfbf43fa898994326c6877f00ab19ef

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1602752

Comment 4 Joshua Padman 2018-07-20 04:07:29 UTC
The following OpenStack releases ship the vulnerable library. However, OpenStack does not appear to use the GCM mode.
Red Hat OpenStack 13
Red Hat OpenStack 14

Comment 5 Joshua Padman 2018-07-20 04:11:14 UTC
Created python-cryptography tracking bugs for this issue:

Affects: openstack-rdo [bug 1605041]

Comment 9 Alan Pevec 2018-07-25 14:41:55 UTC
(In reply to Pedro Yóssis Silva Barbosa from comment #8)
> RHEL7.5 ships version 1.7.2-2. Thus it is affected.

How come, description says >=1.9.0 and <2.3 ?

Comment 10 Pedro Yóssis Silva Barbosa 2018-07-28 18:37:27 UTC
Correction: RHEL7.5 ships version 1.7.2-2 and the finalize_with_tag method wasn't implemented in this version. Thus it is NOT affected. I am closing the rhel-7 tracker.

Comment 11 errata-xmlrpc 2018-11-13 22:13:18 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2018:3600 https://access.redhat.com/errata/RHSA-2018:3600


Note You need to log in before you can comment on or make changes to this bug.