FreeBSD : mbed TLS (PolarSSL) -- multiple vulnerabilities (f41e3e54-076b-11e7-a9f2-0011d823eebd)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

Janos Follath reports :

- If a malicious peer supplies a certificate with a specially crafted
secp224k1 public key, then an attacker can cause the server or client
to attempt to free block of memory held on stack. Depending on the
platform, this could result in a Denial of Service (client crash) or
potentially could be exploited to allow remote code execution with the
same privileges as the host application.

- If the client and the server both support MD5 and the client can be
tricked to authenticate to a malicious server, then the malicious
server can impersonate the client. To launch this man in the middle
attack, the adversary has to compute a chosen-prefix MD5 collision in
real time. This is very expensive computationally, but can be
practical. Depending on the platform, this could result in a Denial of
Service (client crash) or potentially could be exploited to allow
remote code execution with the same privileges as the host
application.

- A bug in the logic of the parsing of a PEM encoded Certificate
Revocation List in mbedtls_x509_crl_parse() can result in an infinite
loop. In versions before 1.3.10 the same bug results in an infinite
recursion stack overflow that usually crashes the application. Methods
and means of acquiring the CRLs is not part of the TLS handshake and
in the strict TLS setting this vulnerability cannot be triggered
remotely. The vulnerability cannot be triggered unless the application
explicitly calls mbedtls_x509_crl_parse() or
mbedtls_x509_crl_parse_file()on a PEM formatted CRL of untrusted
origin. In which case the vulnerability can be exploited to launch a
denial of service attack against the application.

See also :

http://www.nessus.org/u?a5dfef80
http://www.nessus.org/u?9a044885

Solution :

Update the affected packages.

Risk factor :

High

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 97691 ()

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now