mbed TLS (PolarSSL) -- remote code execution
Details
| VuXML ID |
c2f107e1-2493-11e8-b3e8-001cc0382b2f |
| Discovery |
2018-02-05 |
| Entry |
2018-03-10 |
Simon Butcher reports:
- When the truncated HMAC extension is enabled and CBC is used,
sending a malicious application packet can be used to selectively
corrupt 6 bytes on the peer's heap, potentially leading to a
crash or remote code execution. This can be triggered remotely
from either side in both TLS and DTLS.
- When RSASSA-PSS signature verification is enabled, sending a
maliciously constructed certificate chain can be used to cause a
buffer overflow on the peer's stack, potentially leading to crash
or remote code execution. This can be triggered remotely from
either side in both TLS and DTLS.
References
Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright
information.