Vulnerability Spotlight: Multiple Vulnerabilities in InsideSecure MatrixSSL

2017-06-22T10:37:00
ID TALOSBLOG:AB9EE66C1BBE51DCD1977658EAF0328A
Type talosblog
Reporter noreply@blogger.com (Edmund Brumaghin)
Modified 2017-06-22T17:37:31

Description

<i>These vulnerabilities were discovered by Aleksandar Nikolic of Cisco Talos</i><br /><br /><h2>Overview</h2><br />MatrixSSL is a TLS/SSL stack offered in the form of a Software Development Kit (SDK) that is geared towards application in Internet of Things (IOT) devices and other embedded systems. It features low resource overhead and supports many different embedded platforms. It also features FIPS 140-2 compliant cryptography making it suitable for use in high security environments. Talos recently discovered multiple vulnerabilities in MatrixSSL version 3.8.7b including two remote code execution (RCE) vulnerabilities as well as an information disclosure vulnerability.<br /><a name='more'></a><br /><h3>TALOS-2017-0276: InsideSecure MatrixSSL x509 certificate SubjectDomainPolicy Remote Code Execution Vulnerability (CVE-2017-2780)</h3><h3> </h3>MatrixSSL is susceptible to a heap based buffer overflow due to a vulnerability in the 'parsePolicyMappings' function while parsing the x509 SubjectDomainPolicy PolicyMappings extension. When parsing x509 certificates in DER format, a fixed size heap allocation occurs. In situations where the received encoded OID value is longer than the amount of space that has been allocated to the heap, an overflow condition occurs. This vulnerability could be exploited by an attacker to achieve remote code execution on vulnerable systems using a specially crafted OID value.<br /><br /><h3>TALOS-2017-0277: InsideSecure MatrixSSL x509 certificate IssuerDomainPolicy Remote Code Execution Vulnerability (CVE-2017-2781)</h3><h3> </h3>MatrixSSL is susceptible to a heap based buffer overflow due to a vulnerability in the 'parsePolicyMappings' function while parsing the IssuerPolicy PolicyMappings extension. When parsing x509 certificates in DER format, a fixed size heap allocation occurs. In situations where the received encoded OID value is longer than the amount of space that has been allocated to the heap, an overflow condition occurs. This vulnerability could be exploited by an attacker to achieve remote code execution using a specially crafted OID value.<br /><br /><h3>TALOS-2017-0278: InsideSecure MatrixSSL x509 certificate General Names Information Disclosure Vulnerability (CVE-2017-2782)</h3><h3> </h3>MatrixSSL is susceptible to an integer overflow due to a vulnerability in how general names extensions are parsed by the 'parseGeneralNames' function. An specially crafted x509 certificate containing attacker controlled subject alternative names ASN1 strings can be used to create an integer overflow that can be used to leak sensitive information on affected systems.<br /><br /><h2>Conclusion</h2><h2> </h2>Talos has worked to responsibly disclose these vulnerabilities to InsideSecure. InsideSecure has released a security update 3.9.3 to resolve these issues. Many of the embedded systems potentially affected by these vulnerabilities lack modern heap exploitation mitigations which may make it easier to successfully exploit them. As some of these vulnerabilities can be leveraged by an attacker to obtain remote code execution on affected systems, it is recommended that the security update be applied as quickly as possible. Ensuring that systems remained patched against the latest software vulnerabilities is essential to ensuring that environments remain protected. The latest version of this software package is available <a href="https://github.com/matrixssl/matrixssl/releases/tag/3-9-3-open">here</a>.<br /><br />For full details regarding these vulnerabilities, please see the advisories <a href="http://www.talosintelligence.com/reports/TALOS-2017-0276/">here</a>, <a href="http://www.talosintelligence.com/reports/TALOS-2017-0277/">here</a> and <a href="http://www.talosintelligence.com/reports/TALOS-2017-0278/">here</a>.<br /><br />Research efforts to identify zero-day vulnerabilities in software will remain an ongoing effort by Talos. Our work in developing programmatic methods to identify zero-day vulnerabilities and making sure they are addressed in a responsible manner is critical to improving the overall security of the internet.<br /><br />Our vulnerability reporting and disclosure policy can be found <a href="http://www.cisco.com/c/en/us/about/security-center/vendor-vulnerability-policy.html">here</a>.<br /><br /><h2>Coverage</h2><h2> </h2>The following Snort IDs have been released to detect these vulnerabilities: 41466, 41467 <br /><br />Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.<br /><br />For further zero day or vulnerability reports and information visit:<br /><br /><a href="http://talosintelligence.com/vulnerability-reports/">http://talosintelligence.com/vulnerability-reports/</a><br /><br /><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/feedburner/Talos?a=QAa9jYAi7gA:Du45oB4dyBc:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/QAa9jYAi7gA" height="1" width="1" alt=""/>