ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows local users to achieve partial plaintext recovery (for a CBC based ciphersuite) via a cache-based side-channel attack.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows local users to achieve partial     plaintext recovery (for a CBC based ciphersuite) via a cache-based side-channel attack. (CVE-2018-0498)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Ubuntu 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4267-1 advisory.

    It was discovered that mbedtls has a bounds-check bypass through an integer overflow that can be used by     an attacked to execute arbitrary code or cause a denial of service. (CVE-2017-18187)

    It was discovered that mbedtls has a vulnerability where an attacker could execute arbitrary code or cause     a denial of service (buffer overflow) via a crafted certificate chain that is mishandled during RSASSA-PSS     signature verification within a TLS or DTLS session. (CVE-2018-0487)

    It was discovered that mbedtls has a vulnerability where an attacker could execute arbitrary code or cause     a denial of service (heap corruption) via a crafted application packet within a TLS or DTLS session.
    (CVE-2018-0488)

    It was discovered that mbedtls has a vulnerability that allows remote attackers to achieve partial     plaintext recovery (for a CBC based ciphersuite) via a timing-based side-channel attack. (CVE-2018-0497)

    It was discovered that mbedtls has a vulnerability that allows local users to achieve partial plaintext     recovery (for a CBC based ciphersuite) via a cache-based side-channel attack. (CVE-2018-0498)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Two vulnerabilities were discovered in polarssl, a lightweight crypto and SSL/TLS library (nowadays continued under the name mbedtls) which could result in plain text recovery via side-channel attacks.

Two other minor vulnerabilities were discovered in polarssl which could result in arithmetic overflow errors.

CVE-2018-0497

As a protection against the Lucky Thirteen attack, the TLS code for CBC decryption in encrypt-then-MAC mode performs extra MAC calculations to compensate for variations in message size due to padding. The amount of extra MAC calculation to perform was based on the assumption that the bulk of the time is spent in processing 64-byte blocks, which is correct for most supported hashes but not for SHA-384. Correct the amount of extra work for SHA-384 (and SHA-512 which is currently not used in TLS, and MD2 although no one should care about that).

This is a regression fix for what CVE-2013-0169 had been fixed this.

CVE-2018-0498

The basis for the Lucky 13 family of attacks is for an attacker to be able to distinguish between (long) valid TLS-CBC padding and invalid TLS-CBC padding. Since our code sets padlen = 0 for invalid padding, the length of the input to the HMAC function gives information about that.

Information about this length (modulo the MD/SHA block size) can be deduced from how much MD/SHA padding (this is distinct from TLS-CBC padding) is used. If MD/SHA padding is read from a (static) buffer, a local attacker could get information about how much is used via a cache attack targeting that buffer.

Let's get rid of this buffer. Now the only buffer used is the internal MD/SHA one, which is always read fully by the process() function.

CVE-2018-9988

Prevent arithmetic overflow on bounds check and add bound check before signature length read in ssl_parse_server_key_exchange().

CVE-2018-9989

Prevent arithmetic overflow on bounds check and add bound check before length read in ssl_parse_server_psk_hint()

For Debian 8 'Jessie', these problems have been fixed in version 1.3.9-2.1+deb8u4.

We recommend that you upgrade your polarssl packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Two vulnerabilities were discovered in mbedtls, a lightweight crypto and SSL/TLS library which could result in plain text recovery via side-channel attacks.

Simon Butcher reports :

- When using a CBC based ciphersuite, a remote attacker can partially recover the plaintext.

- When using a CBC based ciphersuite, an attacker with the ability to execute arbitrary code on the machine under attack can partially recover the plaintext by use of cache based side-channels.

ID	Name	Product	Family	Severity
248056	Linux Distros Unpatched Vulnerability : CVE-2018-0498	Nessus	Misc.	medium
133521	Ubuntu 16.04 LTS : ARM mbed TLS vulnerabilities (USN-4267-1)	Nessus	Ubuntu Local Security Checks	critical
117711	Debian DLA-1518-1 : polarssl security update	Nessus	Debian Local Security Checks	high
117506	Debian DSA-4296-1 : mbedtls - security update	Nessus	Debian Local Security Checks	medium
111659	FreeBSD : mbed TLS -- plaintext recovery vulnerabilities (f4876dd4-9ca8-11e8-aa17-0011d823eebd)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2018-0498

medium

Tenable Plugins

medium

critical

high

medium

medium