USN-4267-1: ARM mbed TLS vulnerabilities
mbedtls vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary
Several security issues were fixed in mbedtls.
Software Description
- mbedtls – lightweight crypto and SSL/TLS library – crypto library
Details
It was discovered that mbedtls has a bounds-check bypass through an integer
overflow that can be used by an attacked to execute arbitrary code or cause a
denial of service.
(CVE-2017-18187)
It was discovered that mbedtls has a vulnerability where an attacker could
execute arbitrary code or cause a denial of service (buffer overflow)
via a crafted certificate chain that is mishandled during RSASSA-PSS
signature verification within a TLS or DTLS session.
(CVE-2018-0487)
It was discovered that mbedtls has a vulnerability where an attacker could
execute arbitrary code or cause a denial of service (heap corruption) via a
crafted application packet within a TLS or DTLS session.
(CVE-2018-0488)
It was discovered that mbedtls has a vulnerability that allows remote
attackers to achieve partial plaintext recovery (for a CBC based ciphersuite)
via a timing-based side-channel attack.
(CVE-2018-0497)
It was discovered that mbedtls has a vulnerability that allows local users to
achieve partial plaintext recovery (for a CBC based ciphersuite) via a
cache-based side-channel attack.
(CVE-2018-0498)
Update instructions
The problem can be corrected by updating your system to the following package versions:
- Ubuntu 16.04 LTS
- libmbedcrypto0 – 2.2.1-2ubuntu0.3
- libmbedtls10 – 2.2.1-2ubuntu0.3
- libmbedx509-0 – 2.2.1-2ubuntu0.3
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
Leave a Reply