14 DAY TRIAL // The possibility of remote code execution (RCE) exists in certain versions of the open-source SSL library PolarSSL due to a vulnerability that can be triggered during a certificate parsing process.
Upon parsing an ASN.1 (Abstract Syntax Notation One) sequence of variables, a pointer fails to be initialized, and should an error occur, under certain circumstances the pointer passes to polarssl_free().
Bug triggered upon certificate verification
According to an advisory from PolarSSL, this type of situation is possible when a certificate is parsed. “So practically this means clients when receiving a certificate from the server or servers in case they are actively asking for a client certificate,” the advisory informs.
This security flaw, which is now identified as CVE-2015-1182, was discovered internally by the PolarSSL maintainers and was also reported by an external company, Certified Secure.
“When a user controlled X.509 certificate is parsed by the PolarSSL library, the vulnerability allows for Remote Code Execution and a Denial of Service. The most common vulnerable scenario is a server using the PolarSSL library to verify client certificates,” Certified Secure says in a blog post.
The risk a victim is exposed to if an attacker manages to take advantage of the weakness is at least a denial-of-service condition; the biggest threat is remote execution of arbitrary code on the affected machine.
Workaround and unofficial patch available
PolarSSL is a library that provides developers with the possibility to include cryptographic and SSL/TLS functions in their products. It is used in a number of important projects, such as cURL, OpenVPN, PowerDNS; it is also present on embedded devices.
In order to mitigate the problem, the developers offer a couple of solutions. The first one is to add a provided patch to the codebase of the products integrating PolarSSL. The second is for cases where time is not particularly essential and consists in waiting for a new version to appear.
Starting with version 1.0 and up to 1.3.9 along with build 1.2.12, all releases of the product are affected by the security glitch.
An unofficial patch is also available, for version 1.3.9 of the library, and it is provided by Certified Secure.
Patch provided by the developer (to be added to asn1parse.c):
index a3a2b56..e2117bf 100644
--- a/library/asn1parse.c
+++ b/library/asn1parse.c
@@ -278,6 +278,8 @@ int asn1_get_sequence_of( unsigned char **p,
if( cur->next == NULL )
return( POLARSSL_ERR_ASN1_MALLOC_FAILED );
+ memset( cur->next, 0, sizeof( asn1_sequence ) );
+
cur = cur->next;
}
}