[Bug 1714640] Re: CVE-2017-14032 - certificate authentication bypass

Simon Quigley tsimonq2 at ubuntu.com
Thu Sep 7 02:15:09 UTC 2017 

Sponsoring to Artful (patch lgtm, thank you!) and unsubscribing ~ubuntu-
sponsors. ~ubuntu-security-sponsors can take it from here.

Thank you for your contribution to Ubuntu!

** Also affects: mbedtls (Ubuntu Zesty)
   Importance: Undecided
       Status: New

** Also affects: mbedtls (Ubuntu Artful)
   Importance: Undecided
       Status: Confirmed

** Also affects: mbedtls (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: mbedtls (Ubuntu Artful)
       Status: Confirmed => Fix Committed

** Changed in: mbedtls (Ubuntu Xenial)
   Importance: Undecided => Medium

** Changed in: mbedtls (Ubuntu Zesty)
   Importance: Undecided => Medium

** Changed in: mbedtls (Ubuntu Artful)
   Importance: Undecided => Medium

** Changed in: mbedtls (Ubuntu Xenial)
     Assignee: (unassigned) => James Cowgill (jcowgill)

** Changed in: mbedtls (Ubuntu Zesty)
     Assignee: (unassigned) => James Cowgill (jcowgill)

** Changed in: mbedtls (Ubuntu Artful)
     Assignee: (unassigned) => James Cowgill (jcowgill)

** Changed in: mbedtls (Ubuntu Xenial)
       Status: New => Confirmed

** Changed in: mbedtls (Ubuntu Zesty)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1714640

Title:
  CVE-2017-14032 - certificate authentication bypass

Status in mbedtls package in Ubuntu:
  Fix Committed
Status in mbedtls source package in Xenial:
  Confirmed
Status in mbedtls source package in Zesty:
  Confirmed
Status in mbedtls source package in Artful:
  Fix Committed
Status in mbedtls package in Debian:
  Fix Released

Bug description:
  The following security bug was published for mbedtls:

  [Vulnerability]
  If a malicious peer supplies an X.509 certificate chain that has more
  than MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (which by default is
  8), it could bypass authentication of the certificates, when the
  authentication mode was set to 'optional' eg.
  MBEDTLS_SSL_VERIFY_OPTIONAL. The issue could be triggered remotely by
  both the client and server sides.

  If the authentication mode, which can be set by the function
  mbedtls_ssl_conf_authmode(), was set to 'required' eg.
  MBEDTLS_SSL_VERIFY_REQUIRED which is the default, authentication would
  occur normally as intended.

  [Impact]
  Depending on the platform, an attack exploiting this vulnerability could
  allow successful impersonation of the intended peer and permit
  man-in-the-middle attacks.

  https://tls.mbed.org/tech-updates/security-advisories/mbedtls-
  security-advisory-2017-02

  As far as I can tell, mbed TLS in xenial, zesty and artful are
  affected. No version of polarssl is affected.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mbedtls/+bug/1714640/+subscriptions

More information about the Ubuntu-sponsors mailing list