oss-sec mailing list archives
Update on MatrixSSL miscalculation (incomplete fix for CVE-2016-6887)
From: Hanno Böck <hanno () hboeck de>
Date: Sat, 15 Oct 2016 17:35:58 +0200
https://blog.fuzzing-project.org/54-Update-on-MatrixSSL-miscalculation-incomplete-fix-for-CVE-2016-6887.html CVE-assigners: I think this could get a CVE as an incomplete fix for CVE-2016-6887 ---------- I recently [1] reported how I found various bugs in the bignum implementation of MatrixSSL, some of them leading to remotely exploitable vulnerabilities. One of the bugs was that the modular exponentiation function - pstm_exptmod() - produced wrong results for some inputs . This wasn't really fixed, but only worked around by restricting the allowed size of the modulus. Not surprisingly it is still possible to find inputs that cause miscalculations (code). I reported this to MatrixSSL on August 1st. Recently MatrixSSL released another update (3.8.6) fixing several vulnerabilities reported by Craig Young from Tripwire [2]. However the pstm_exptmod() bug is still there. It is unclear how exploitable such bugs are, but given that it's used in the context of cryptographic functions handling secret key material this is clearly a reason for concern. MatrixSSL has long advertised itself as a safer alternative to OpenSSL, because it didn't suffer from the same kind of high severity bugs. I think it has been sufficiently shown that this was due to the fact that nobody was looking. But what's more worrying is that bugs they knew about for several months now don't get fixed properly. [1] https://blog.fuzzing-project.org/51-Fun-with-Bignums-Crashing-MatrixSSL-and-more.html [2] http://www.tripwire.com/state-of-security/security-data-protection/cyber-security/flawed-matrixssl-code-highlights-need-for-better-iot-update-practices/ -- Hanno Böck https://hboeck.de/ mail/jabber: hanno () hboeck de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Attachment:
matrixssl-exptmod-bug-variant2.c
Description:
Attachment:
_bin
Description: OpenPGP digital signature
Current thread:
- Update on MatrixSSL miscalculation (incomplete fix for CVE-2016-6887) Hanno Böck (Oct 15)
- Re: Update on MatrixSSL miscalculation (incomplete fix for CVE-2016-6887) cve-assign (Oct 15)