Improper Authentication Affecting mbedtls package, versions <2.6.0-1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN11-MBEDTLS-515283
- published 30 Aug 2017
- disclosed 30 Aug 2017
Introduced: 30 Aug 2017
CVE-2017-14032 Open this link in a new tabHow to fix?
Upgrade Debian:11 mbedtls to version 2.6.0-1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream mbedtls package and not the mbedtls package as distributed by Debian.
See How to fix? for Debian:11 relevant fixed versions and status.
ARM mbed TLS before 1.3.21 and 2.x before 2.1.9, if optional authentication is configured, allows remote attackers to bypass peer authentication via an X.509 certificate chain with many intermediates. NOTE: although mbed TLS was formerly known as PolarSSL, the releases shipped with the PolarSSL name are not affected.
References
- https://security-tracker.debian.org/tracker/CVE-2017-14032
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14032
- https://bugs.debian.org/873557
- http://www.debian.org/security/2017/dsa-3967
- https://github.com/ARMmbed/mbedtls/commit/31458a18788b0cf0b722acda9bb2f2fe13a3fb32
- https://github.com/ARMmbed/mbedtls/commit/d15795acd5074e0b44e71f7ede8bdfe1b48591fc
- https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14032