Cesanta Mongoose GCM Authentication Tag Verification Vulnerability

A vulnerability exists in Cesanta Mongoose versions prior to 7.21, specifically in the GCM Authentication Tag Handler within the `mg_aes_gcm_decrypt` function of the file `/src/tls_aes128.c`. This vulnerability arises because the function fails to verify the GCM authentication tag during decryption, thereby bypassing the authentication guarantees of the AES-GCM cipher. The issue allows a remote attacker to manipulate encrypted data in transit, exploiting the lack of authentication to perform bit-flipping attacks on TLS records. The vulnerability has been publicly disclosed and is considered difficult to exploit, but an exploit is available.

Impact

The vulnerability leads to a complete authentication bypass in TLS connections using AES-128-GCM, allowing for unauthorized modification of encrypted data. This could result in bit-flipping attacks on any TLS record, with the potential to alter application data such as HTTP headers, JSON fields, or MQTT payloads. The vulnerability could also be exploited to hijack authenticated sessions or inject malicious commands into IoT devices.

Reproduction

The vulnerability can be reproduced by using the `mg_aes_gcm_encrypt` function to encrypt a message while correctly generating the GCM tag and including associated data. The encrypted message can then be tampered with by flipping specific bits to modify the plaintext when decrypted. After corrupting the GCM tag with garbage, the tampered ciphertext can be decrypted using the `mg_aes_gcm_decrypt` function, which will accept the modified plaintext without any error, demonstrating the authentication bypass.

Remediation

Upgrading to Cesanta Mongoose version 7.21 addresses this vulnerability.