@@ -56,6 +56,73 @@ changing the mbedTLS revision on ``west.yaml`` to the previous one
5656by a security expert to ensure that the know vulnerabilities in that version
5757don't affect the product.
5858
59+ Vulnerabilities addressed in this update:
60+
61+ * MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
62+ builds that couldn't compile the GCC-style assembly implementation
63+ (most notably builds with Visual Studio), leaving them vulnerable to
64+ timing side-channel attacks. There is now an intrinsics-based AES-NI
65+ implementation as a fallback for when the assembly one cannot be used.
66+
67+ * Fix potential heap buffer overread and overwrite in DTLS if
68+ MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
69+ MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.
70+
71+ * An adversary with access to precise enough information about memory
72+ accesses (typically, an untrusted operating system attacking a secure
73+ enclave) could recover an RSA private key after observing the victim
74+ performing a single private-key operation if the window size used for the
75+ exponentiation was 3 or smaller. Found and reported by Zili KOU,
76+ Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks
77+ and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
78+ and Test in Europe 2023.
79+
80+ * Zeroize dynamically-allocated buffers used by the PSA Crypto key storage
81+ module before freeing them. These buffers contain secret key material, and
82+ could thus potentially leak the key through freed heap.
83+
84+ * Fix a potential heap buffer overread in TLS 1.2 server-side when
85+ MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created with
86+ mbedtls_pk_setup_opaque()) is provisioned, and a static ECDH ciphersuite
87+ is selected. This may result in an application crash or potentially an
88+ information leak.
89+
90+ * Fix a buffer overread in DTLS ClientHello parsing in servers with
91+ MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled. An unauthenticated client
92+ or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
93+ after the end of the SSL input buffer. The buffer overread only happens
94+ when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on
95+ the exact configuration: 258 bytes if using mbedtls_ssl_cookie_check(),
96+ and possibly up to 571 bytes with a custom cookie check function.
97+ Reported by the Cybeats PSI Team.
98+
99+ * Zeroize several intermediate variables used to calculate the expected
100+ value when verifying a MAC or AEAD tag. This hardens the library in
101+ case the value leaks through a memory disclosure vulnerability. For
102+ example, a memory disclosure vulnerability could have allowed a
103+ man-in-the-middle to inject fake ciphertext into a DTLS connection.
104+
105+ * In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back
106+ from the output buffer. This fixes a potential policy bypass or decryption
107+ oracle vulnerability if the output buffer is in memory that is shared with
108+ an untrusted application.
109+
110+ * Fix a double-free that happened after mbedtls_ssl_set_session() or
111+ mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
112+ (out of memory). After that, calling mbedtls_ssl_session_free()
113+ and mbedtls_ssl_free() would cause an internal session buffer to
114+ be free()'d twice.
115+
116+ * Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
117+ private keys and of blinding values for DHM and elliptic curves (ECP)
118+ computations. Reported by FlorianF89 in #4245.
119+
120+ * Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
121+ An adversary who is capable of very precise timing measurements could
122+ learn partial information about the leading bits of the nonce used for the
123+ signature, allowing the recovery of the private key after observing a
124+ large number of signature o
125+
59126Security Vulnerability Related
60127******************************
61128
0 commit comments