Bug 33124

Summary: opencryptoki new security issue CVE-2024-0914
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: opencryptoki-3.18.0-1.mga9.src.rpm CVE: CVE-2024-0914
Status comment:

Description Nicolas Salguero 2024-04-22 10:51:41 CEST 
RedHat has issued an advisory on April 16:
https://lwn.net/Articles/970137/

The problem is fixed in version 3.23.0.

Mageia 9 is also affected.
Nicolas Salguero 2024-04-22 10:52:00 CEST

Status comment: (none) => Fixed upstream in 3.23.0
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => opencryptoki-3.18.0-1.mga9.src.rpm
CVE: (none) => CVE-2024-0914

Comment 1 Nicolas Salguero 2024-04-22 13:45:41 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

A timing side-channel vulnerability has been discovered in the opencryptoki package while processing RSA PKCS#1 v1.5 padded ciphertexts. This flaw could potentially enable unauthorized RSA ciphertext decryption or signing, even without access to the corresponding private key. (CVE-2024-0914)

References:
https://lwn.net/Articles/970137/
========================

Updated packages in core/updates_testing:
========================
lib(64)opencryptoki0-3.23.0-1.mga9
lib(64)opencryptoki-devel-3.23.0-1.mga9
opencryptoki-3.23.0-1.mga9
opencryptoki-icsftok-3.23.0-1.mga9
opencryptoki-swtok-3.23.0-1.mga9
opencryptoki-tpmtok-3.23.0-1.mga9

from SRPM:
opencryptoki-3.23.0-1.mga9.src.rpm

Assignee: bugsquad => qa-bugs
Status comment: Fixed upstream in 3.23.0 => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)

katnatek 2024-04-22 20:51:52 CEST

Keywords: (none) => advisory

Comment 2 katnatek 2024-04-26 03:40:36 CEST 
RH mageia 9 x86_64

 LC_ALL=C urpmi /home/katnatek/qa-testing/x86_64/*.rpm
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  lib64tspi1                     0.3.15       3.mga9        x86_64  
(command line)
  lib64opencryptoki-devel        3.23.0       1.mga9        x86_64  
  lib64opencryptoki0             3.23.0       1.mga9        x86_64  
  opencryptoki                   3.23.0       1.mga9        x86_64  
  opencryptoki-icsftok           3.23.0       1.mga9        x86_64  
  opencryptoki-swtok             3.23.0       1.mga9        x86_64  
  opencryptoki-tpmtok            3.23.0       1.mga9        x86_64  
3.7MB of additional disk space will be used.
1.3MB of packages will be retrieved.
Proceed with the installation of the 7 packages? (Y/n) y


    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64tspi1-0.3.15-3.mga9.x86_64.rpm
installing /home/katnatek/qa-testing/x86_64/lib64opencryptoki0-3.23.0-1.mga9.x86_64.rpm                                             
/home/katnatek/qa-testing/x86_64/opencryptoki-icsftok-3.23.0-1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/lib64opencryptoki-devel-3.23.0-1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64tspi1-0.3.15-3.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/opencryptoki-3.23.0-1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/opencryptoki-swtok-3.23.0-1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/opencryptoki-tpmtok-3.23.0-1.mga9.x86_64.rpm
Preparing...                     ##################################################################################################
      1/7: lib64opencryptoki0    ##################################################################################################
      2/7: lib64tspi1            ##################################################################################################
      3/7: opencryptoki-tpmtok   warning: group pkcs11 does not exist - using root
##################################################################################################
      4/7: opencryptoki-icsftok  warning: group pkcs11 does not exist - using root
##################################################################################################                                   
      5/7: lib64opencryptoki-devel
                                 ##################################################################################################
      6/7: opencryptoki-swtok    warning: group pkcs11 does not exist - using root
warning: group pkcs11 does not exist - using root
##################################################################################################
      7/7: opencryptoki          ##################################################################################################
/usr/lib/tmpfiles.d/opencryptoki.conf:2: Failed to resolve user 'pkcsslotd': No such process
/usr/lib/tmpfiles.d/opencryptoki.conf:2: Failed to resolve user 'pkcsslotd': No such process

I did try to follow bug#29328 comment#5 , but something is not working

usermod -a -G pkcs11 root
pkcsslotd
There is no 'pkcsslotd' user on this system.

pkcsconf -i
pkcsconf: Error initializing the PKCS11 library: 0x6 (CKR_FUNCTION_FAILED)
katnatek 2024-04-26 03:40:49 CEST

Keywords: (none) => feedback

Comment 3 Nicolas Salguero 2024-04-26 09:43:40 CEST 
Hi,

Indeed, I missed some options for configure, at build time, sorry.

Updated packages in core/updates_testing:
========================
lib(64)opencryptoki0-3.23.0-1.1.mga9
lib(64)opencryptoki-devel-3.23.0-1.1.mga9
opencryptoki-3.23.0-1.1.mga9
opencryptoki-icsftok-3.23.0-1.1.mga9
opencryptoki-swtok-3.23.0-1.1.mga9
opencryptoki-tpmtok-3.23.0-1.1.mga9

from SRPM:
opencryptoki-3.23.0-1.1.mga9.src.rpm

Keywords: feedback => (none)

Comment 4 Nicolas Salguero 2024-04-26 09:44:35 CEST 
I removed the "advisory" flag since I think it needs to be updated in SVN.

Keywords: advisory => (none)

Comment 5 katnatek 2024-04-26 19:15:24 CEST 
RH mageia 9 x86_64

LC_ALL=C urpmi /home/katnatek/qa-testing/x86_64/*.rpm
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  lib64tspi1                     0.3.15       3.mga9        x86_64  
(command line)
  lib64opencryptoki-devel        3.23.0       1.1.mga9      x86_64  
  lib64opencryptoki0             3.23.0       1.1.mga9      x86_64  
  opencryptoki                   3.23.0       1.1.mga9      x86_64  
  opencryptoki-icsftok           3.23.0       1.1.mga9      x86_64  
  opencryptoki-swtok             3.23.0       1.1.mga9      x86_64  
  opencryptoki-tpmtok            3.23.0       1.1.mga9      x86_64  
3.7MB of additional disk space will be used.
1.3MB of packages will be retrieved.
Proceed with the installation of the 7 packages? (Y/n) y


    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64tspi1-0.3.15-3.mga9.x86_64.rpm
installing /home/katnatek/qa-testing/x86_64/opencryptoki-swtok-3.23.0-1.1.mga9.x86_64.rpm                                           
/home/katnatek/qa-testing/x86_64/lib64opencryptoki0-3.23.0-1.1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/opencryptoki-tpmtok-3.23.0-1.1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/opencryptoki-3.23.0-1.1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/opencryptoki-icsftok-3.23.0-1.1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/lib64opencryptoki-devel-3.23.0-1.1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64tspi1-0.3.15-3.mga9.x86_64.rpm
Preparing...                     ##################################################################################################
      1/7: lib64opencryptoki0    ##################################################################################################
      2/7: lib64tspi1            ##################################################################################################
      3/7: opencryptoki-tpmtok   ##################################################################################################
      4/7: opencryptoki-swtok    ##################################################################################################
      5/7: opencryptoki-icsftok  ##################################################################################################
      6/7: lib64opencryptoki-devel
                                 ##################################################################################################
      7/7: opencryptoki          ##################################################################################################

Reference bug#29328 comment#5 

usermod -a -G pkcs11 root
pkcsslotd

pkcsconf -i
PKCS#11 Info
        Version 3.0 
        Manufacturer: IBM                              
        Flags: 0x0  
        Library Description: openCryptoki                     
        Library Version: 3.23 
        URI: pkcs11:library-description=openCryptoki;library-manufacturer=IBM;library-version=3.23

pkcsconf -t
Token #3 Info:
        Label: softtok                         
        Manufacturer: IBM                             
        Model: Soft            
        Serial Number:                 
        Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
        Sessions: 0/[effectively infinite]
        R/W Sessions: 0/[effectively infinite]
        PIN Length: 4-8
        Public Memory: [information unavailable]/[information unavailable]
        Private Memory: [information unavailable]/[information unavailable]
        Hardware Version: 0.0
        Firmware Version: 0.0
        Time: 2024042611115000
        URI: pkcs11:manufacturer=IBM;model=Soft;token=softtok

Looks consistent with the reference and not installations warnings with this packages
Comment 6 katnatek 2024-04-26 19:18:42 CEST 
Also, not issues at uninstall
katnatek 2024-04-26 19:19:07 CEST

CC: (none) => andrewsfarm

katnatek 2024-04-26 19:19:22 CEST

Whiteboard: (none) => MGA9-64-OK

katnatek 2024-04-26 19:22:14 CEST

Keywords: (none) => advisory

Comment 7 Thomas Andrews 2024-04-27 04:32:49 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2024-04-27 08:26:55 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0152.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED