path: root/comm/third_party/botan/doc/security.rst

.. highlight:: none

Security Advisories
========================================

If you think you have found a security bug in Botan please contact
Jack Lloyd (jack@randombit.net). If you would like to encrypt your
mail please use::

  pub   rsa3072/57123B60 2015-03-23
        Key fingerprint = 4E60 C735 51AF 2188 DF0A  5A62 78E9 8043 5712 3B60
        uid         Jack Lloyd <jack@randombit.net>

This key can be found in the file ``doc/pgpkey.txt`` or online at
https://keybase.io/jacklloyd and on most PGP keyservers.

2020
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* 2020-07-05: Failure to enforce name constraints on alternative names

  The path validation algorithm enforced name constraints on the primary DN
  included in the certificate but failed to do so against alternative DNs which
  may be included in the subject alternative name. This would allow a corrupted
  sub-CA which was constrained by a name constraints extension in its own
  certificate to issue a certificate containing a prohibited DN. Until 2.15.0,
  there was no API to access these alternative name DNs so it is unlikely that
  any application would make incorrect access control decisions on the basis of
  the incorrect DN. Reported by Mario Korth of Ruhr-Universität Bochum.

  Introduced in 1.11.29, fixed in 2.15.0

* 2020-03-24: Side channel during CBC padding

  The CBC padding operations were not constant time and as a result would leak
  the length of the plaintext values which were being padded to an attacker
  running a side channel attack via shared resources such as cache or branch
  predictor. No information about the contents was leaked, but the length alone
  might be used to make inferences about the contents. This issue affects TLS
  CBC ciphersuites as well as CBC encryption using PKCS7 or other similar padding
  mechanisms. In all cases, the unpadding operations were already constant time
  and are not affected. Reported by Maximilian Blochberger of Universität
  Hamburg.

  Fixed in 2.14.0, all prior versions affected.

2018
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* 2018-12-17 (CVE-2018-20187): Side channel during ECC key generation

  A timing side channel during ECC key generation could leak information about
  the high bits of the secret scalar. Such information allows an attacker to
  perform a brute force attack on the key somewhat more efficiently than they
  would otherwise. Found by Ján Jančár using ECTester.

  Introduced in 1.11.20, fixed in 2.8.0.

* 2018-06-13 (CVE-2018-12435): ECDSA side channel

  A side channel in the ECDSA signature operation could allow a local attacker
  to recover the secret key. Found by Keegan Ryan of NCC Group.

  Bug introduced in 2.5.0, fixed in 2.7.0. The 1.10 branch is not affected.

* 2018-04-10 (CVE-2018-9860): Memory overread in TLS CBC decryption

  An off by one error in TLS CBC decryption meant that for a particular
  malformed ciphertext, the receiver would miscompute a length field and HMAC
  exactly 64K bytes of data following the record buffer as if it was part of the
  message. This cannot be used to leak information since the MAC comparison will
  subsequently fail and the connection will be closed. However it might be used
  for denial of service. Found by OSS-Fuzz.

  Bug introduced in 1.11.32, fixed in 2.6.0

* 2018-03-29 (CVE-2018-9127): Invalid wildcard match

  RFC 6125 wildcard matching was incorrectly implemented, so that a wildcard
  certificate such as ``b*.domain.com`` would match any hosts ``*b*.domain.com``
  instead of just server names beginning with ``b``. The host and certificate
  would still have to be in the same domain name. Reported by Fabian Weißberg of
  Rohde and Schwarz Cybersecurity.

  Bug introduced in 2.2.0, fixed in 2.5.0

2017
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* 2017-10-02 (CVE-2017-14737): Potential side channel using cache information

  In the Montgomery exponentiation code, a table of precomputed values
  is used. An attacker able to analyze which cache lines were accessed
  (perhaps via an active attack such as Prime+Probe) could recover
  information about the exponent. Identified in "CacheD: Identifying
  Cache-Based Timing Channels in Production Software" by Wang, Wang,
  Liu, Zhang, and Wu (Usenix Security 2017).

  Fixed in 1.10.17 and 2.3.0, all prior versions affected.

* 2017-07-16: Failure to fully zeroize memory before free

  The secure_allocator type attempts to zeroize memory before freeing it. Due to
  a error sometimes only a portion of the memory would be zeroed, because of a
  confusion between the number of elements vs the number of bytes that those
  elements use. So byte vectors would always be fully zeroed (since the two
  notions result in the same value), but for example with an array of 32-bit
  integers, only the first 1/4 of the elements would be zeroed before being
  deallocated. This may result in information leakage, if an attacker can access
  memory on the heap. Reported by Roman Pozlevich.

  Bug introduced in 1.11.10, fixed in 2.2.0

* 2017-04-04 (CVE-2017-2801): Incorrect comparison in X.509 DN strings

  Botan's implementation of X.509 name comparisons had a flaw which
  could result in an out of bound memory read while processing a
  specially formed DN. This could potentially be exploited for
  information disclosure or denial of service, or result in incorrect
  validation results. Found independently by Aleksandar Nikolic of
  Cisco Talos, and OSS-Fuzz automated fuzzing infrastructure.

  Bug introduced in 1.6.0 or earlier, fixed in 2.1.0 and 1.10.16

* 2017-03-23 (CVE-2017-7252): Incorrect bcrypt computation

  Botan's implementation of bcrypt password hashing scheme truncated long
  passwords at 56 characters, instead of at bcrypt's standard 72 characters
  limit. Passwords with lengths between these two bounds could be cracked more
  easily than should be the case due to the final password bytes being ignored.
  Found and reported by Solar Designer.

  Bug introduced in 1.11.0, fixed in 2.1.0.

2016
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* 2016-11-27 (CVE-2016-9132) Integer overflow in BER decoder

  While decoding BER length fields, an integer overflow could occur. This could
  occur while parsing untrusted inputs such as X.509 certificates. The overflow
  does not seem to lead to any obviously exploitable condition, but exploitation
  cannot be positively ruled out. Only 32-bit platforms are likely affected; to
  cause an overflow on 64-bit the parsed data would have to be many gigabytes.
  Bug found by Falko Strenzke, cryptosource GmbH.

  Fixed in 1.10.14 and 1.11.34, all prior versions affected.

* 2016-10-26 (CVE-2016-8871) OAEP side channel

  A side channel in OAEP decoding could be used to distinguish RSA ciphertexts
  that did or did not have a leading 0 byte. For an attacker capable of
  precisely measuring the time taken for OAEP decoding, this could be used as an
  oracle allowing decryption of arbitrary RSA ciphertexts. Remote exploitation
  seems difficult as OAEP decoding is always paired with RSA decryption, which
  takes substantially more (and variable) time, and so will tend to mask the
  timing channel. This attack does seems well within reach of a local attacker
  capable of a cache or branch predictor based side channel attack. Finding,
  analysis, and patch by Juraj Somorovsky.

  Introduced in 1.11.29, fixed in 1.11.33

* 2016-08-30 (CVE-2016-6878) Undefined behavior in Curve25519

  On systems without a native 128-bit integer type, the Curve25519 code invoked
  undefined behavior. This was known to produce incorrect results on 32-bit ARM
  when compiled by Clang.

  Introduced in 1.11.12, fixed in 1.11.31

* 2016-08-30 (CVE-2016-6879) Bad result from X509_Certificate::allowed_usage

  If allowed_usage was called with more than one Key_Usage set in the enum
  value, the function would return true if *any* of the allowed usages were set,
  instead of if *all* of the allowed usages are set.  This could be used to
  bypass an application key usage check. Credit to Daniel Neus of Rohde &
  Schwarz Cybersecurity for finding this issue.

  Introduced in 1.11.0, fixed in 1.11.31

* 2016-03-17 (CVE-2016-2849): ECDSA side channel

  ECDSA (and DSA) signature algorithms perform a modular inverse on the
  signature nonce `k`.  The modular inverse algorithm used had input dependent
  loops, and it is possible a side channel attack could recover sufficient
  information about the nonce to eventually recover the ECDSA secret key. Found
  by Sean Devlin.

  Introduced in 1.7.15, fixed in 1.10.13 and 1.11.29

* 2016-03-17 (CVE-2016-2850): Failure to enforce TLS policy

  TLS v1.2 allows negotiating which signature algorithms and hash functions each
  side is willing to accept. However received signatures were not actually
  checked against the specified policy.  This had the effect of allowing a
  server to use an MD5 or SHA-1 signature, even though the default policy
  prohibits it. The same issue affected client cert authentication.

  The TLS client also failed to verify that the ECC curve the server chose to
  use was one which was acceptable by the client policy.

  Introduced in 1.11.0, fixed in 1.11.29

* 2016-02-01 (CVE-2016-2196): Overwrite in P-521 reduction

  The P-521 reduction function would overwrite zero to one word
  following the allocated block. This could potentially result
  in remote code execution or a crash. Found with AFL

  Introduced in 1.11.10, fixed in 1.11.27

* 2016-02-01 (CVE-2016-2195): Heap overflow on invalid ECC point

  The PointGFp constructor did not check that the affine coordinate
  arguments were less than the prime, but then in curve multiplication
  assumed that both arguments if multiplied would fit into an integer
  twice the size of the prime.

  The bigint_mul and bigint_sqr functions received the size of the
  output buffer, but only used it to dispatch to a faster algorithm in
  cases where there was sufficient output space to call an unrolled
  multiplication function.

  The result is a heap overflow accessible via ECC point decoding,
  which accepted untrusted inputs. This is likely exploitable for
  remote code execution.

  On systems which use the mlock pool allocator, it would allow an
  attacker to overwrite memory held in secure_vector objects. After
  this point the write will hit the guard page at the end of the
  mmap'ed region so it probably could not be used for code execution
  directly, but would allow overwriting adjacent key material.

  Found by Alex Gaynor fuzzing with AFL

  Introduced in 1.9.18, fixed in 1.11.27 and 1.10.11

* 2016-02-01 (CVE-2016-2194): Infinite loop in modular square root algorithm

  The ressol function implements the Tonelli-Shanks algorithm for
  finding square roots could be sent into a nearly infinite loop due
  to a misplaced conditional check. This could occur if a composite
  modulus is provided, as this algorithm is only defined for primes.
  This function is exposed to attacker controlled input via the OS2ECP
  function during ECC point decompression. Found by AFL

  Introduced in 1.7.15, fixed in 1.11.27 and 1.10.11

2015
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* 2015-11-04: TLS certificate authentication bypass

  When the bugs affecting X.509 path validation were fixed in 1.11.22, a check
  in Credentials_Manager::verify_certificate_chain was accidentally removed
  which caused path validation failures not to be signaled to the TLS layer.  So
  for affected versions, certificate authentication in TLS is bypassed. As a
  workaround, applications can override the call and implement the correct
  check. Reported by Florent Le Coz in GH #324

  Introduced in 1.11.22, fixed in 1.11.24

* 2015-10-26 (CVE-2015-7824): Padding oracle attack on TLS

  A padding oracle attack was possible against TLS CBC ciphersuites because if a
  certain length check on the packet fields failed, a different alert type than
  one used for message authentication failure would be returned to the sender.
  This check triggering would leak information about the value of the padding
  bytes and could be used to perform iterative decryption.

  As with most such oracle attacks, the danger depends on the underlying
  protocol - HTTP servers are particularly vulnerable. The current analysis
  suggests that to exploit it an attacker would first have to guess several
  bytes of plaintext, but again this is quite possible in many situations
  including HTTP.

  Found in a review by Sirrix AG and 3curity GmbH.

  Introduced in 1.11.0, fixed in 1.11.22

* 2015-10-26 (CVE-2015-7825): Infinite loop during certificate path validation

  When evaluating a certificate path, if a loop in the certificate chain
  was encountered (for instance where C1 certifies C2, which certifies C1)
  an infinite loop would occur eventually resulting in memory exhaustion.
  Found in a review by Sirrix AG and 3curity GmbH.

  Introduced in 1.11.6, fixed in 1.11.22

* 2015-10-26 (CVE-2015-7826): Acceptance of invalid certificate names

  RFC 6125 specifies how to match a X.509v3 certificate against a DNS name
  for application usage.

  Otherwise valid certificates using wildcards would be accepted as matching
  certain hostnames that should they should not according to RFC 6125. For
  example a certificate issued for ``*.example.com`` should match
  ``foo.example.com`` but not ``example.com`` or ``bar.foo.example.com``. Previously
  Botan would accept such a certificate as also valid for ``bar.foo.example.com``.

  RFC 6125 also requires that when matching a X.509 certificate against a DNS
  name, the CN entry is only compared if no subjectAlternativeName entry is
  available. Previously X509_Certificate::matches_dns_name would always check
  both names.

  Found in a review by Sirrix AG and 3curity GmbH.

  Introduced in 1.11.0, fixed in 1.11.22

* 2015-10-26 (CVE-2015-7827): PKCS #1 v1.5 decoding was not constant time

  During RSA decryption, how long decoding of PKCS #1 v1.5 padding took was
  input dependent. If these differences could be measured by an attacker, it
  could be used to mount a Bleichenbacher million-message attack. PKCS #1 v1.5
  decoding has been rewritten to use a sequence of operations which do not
  contain any input-dependent indexes or jumps. Notations for checking constant
  time blocks with ctgrind (https://github.com/agl/ctgrind) were added to PKCS
  #1 decoding among other areas. Found in a review by Sirrix AG and 3curity GmbH.

  Fixed in 1.11.22 and 1.10.13. Affected all previous versions.

* 2015-08-03 (CVE-2015-5726): Crash in BER decoder

  The BER decoder would crash due to reading from offset 0 of an empty vector if
  it encountered a BIT STRING which did not contain any data at all. This can be
  used to easily crash applications reading untrusted ASN.1 data, but does not
  seem exploitable for code execution. Found with afl.

  Fixed in 1.11.19 and 1.10.10, affected all previous versions of 1.10 and 1.11

* 2015-08-03 (CVE-2015-5727): Excess memory allocation in BER decoder

  The BER decoder would allocate a fairly arbitrary amount of memory in a length
  field, even if there was no chance the read request would succeed.  This might
  cause the process to run out of memory or invoke the OOM killer. Found with afl.

  Fixed in 1.11.19 and 1.10.10, affected all previous versions of 1.10 and 1.11

2014
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* 2014-04-10 (CVE-2014-9742): Insufficient randomness in Miller-Rabin primality check

  A bug in the Miller-Rabin primality test resulted in only a single random base
  being used instead of a sequence of such bases. This increased the probability
  that a non-prime would be accepted by is_prime or that a randomly generated
  prime might actually be composite.  The probability of a random 1024 bit
  number being incorrectly classed as prime with a single base is around 2^-40.
  Reported by Jeff Marrison.

  Introduced in 1.8.3, fixed in 1.10.8 and 1.11.9