Thursday, June 22, 2017

Vulnerability Spotlight: Multiple Vulnerabilities in InsideSecure MatrixSSL

These vulnerabilities were discovered by Aleksandar Nikolic of Cisco Talos

Overview


MatrixSSL is a TLS/SSL stack offered in the form of a Software Development Kit (SDK) that is geared towards application in Internet of Things (IOT) devices and other embedded systems. It features low resource overhead and supports many different embedded platforms. It also features FIPS 140-2 compliant cryptography making it suitable for use in high security environments. Talos recently discovered multiple vulnerabilities in MatrixSSL version 3.8.7b including two remote code execution (RCE) vulnerabilities as well as an information disclosure vulnerability.

TALOS-2017-0276: InsideSecure MatrixSSL x509 certificate SubjectDomainPolicy Remote Code Execution Vulnerability (CVE-2017-2780)

 

MatrixSSL is susceptible to a heap based buffer overflow due to a vulnerability in the 'parsePolicyMappings' function while parsing the x509 SubjectDomainPolicy PolicyMappings extension. When parsing x509 certificates in DER format, a fixed size heap allocation occurs. In situations where the received encoded OID value is longer than the amount of space that has been allocated to the heap, an overflow condition occurs. This vulnerability could be exploited by an attacker to achieve remote code execution on vulnerable systems using a specially crafted OID value.

TALOS-2017-0277: InsideSecure MatrixSSL x509 certificate IssuerDomainPolicy Remote Code Execution Vulnerability (CVE-2017-2781)

 

MatrixSSL is susceptible to a heap based buffer overflow due to a vulnerability in the 'parsePolicyMappings' function while parsing the IssuerPolicy PolicyMappings extension. When parsing x509 certificates in DER format, a fixed size heap allocation occurs. In situations where the received encoded OID value is longer than the amount of space that has been allocated to the heap, an overflow condition occurs. This vulnerability could be exploited by an attacker to achieve remote code execution using a specially crafted OID value.

TALOS-2017-0278: InsideSecure MatrixSSL x509 certificate General Names Information Disclosure Vulnerability (CVE-2017-2782)

 

MatrixSSL is susceptible to an integer overflow due to a vulnerability in how general names extensions are parsed by the 'parseGeneralNames' function. An specially crafted x509 certificate containing attacker controlled subject alternative names ASN1 strings can be used to create an integer overflow that can be used to leak sensitive information on affected systems.

Conclusion

 

Talos has worked to responsibly disclose these vulnerabilities to InsideSecure. InsideSecure has released a security update 3.9.3 to resolve these issues. Many of the embedded systems potentially affected by these vulnerabilities lack modern heap exploitation mitigations which may make it easier to successfully exploit them. As some of these vulnerabilities can be leveraged by an attacker to obtain remote code execution on affected systems, it is recommended that the security update be applied as quickly as possible. Ensuring that systems remained patched against the latest software vulnerabilities is essential to ensuring that environments remain protected. The latest version of this software package is available here.

For full details regarding these vulnerabilities, please see the advisories here, here and here.

Research efforts to identify zero-day vulnerabilities in software will remain an ongoing effort by Talos. Our work in developing programmatic methods to identify zero-day vulnerabilities and making sure they are addressed in a responsible manner is critical to improving the overall security of the internet.

Our vulnerability reporting and disclosure policy can be found here.

Coverage

 

The following Snort IDs have been released to detect these vulnerabilities: 41466, 41467

Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

For further zero day or vulnerability reports and information visit:

http://talosintelligence.com/vulnerability-reports/

No comments:

Post a Comment