CVE-2018-1000159

Name of the Vulnerable Software and Affected Versions tlslite-ng versions 0.7.3 and earlier

Description The issue is related to an improper validation of integrity check value in the TLS implementation. Specifically, the ct check cbc mac and pad() function in tlslite/utils/constanttime.py contains a vulnerability. This can result in an attacker manipulating the TLS ciphertext without being detected by the receiving tlslite-ng. The attack appears to be exploitable via a man-in-the-middle attack on a network connection.

Recommendations For tlslite-ng versions 0.7.3 and earlier, consider updating to a version that includes the fix after commit 3674815d1b0f7484454995e2737a352e0a6a93d8 to resolve the issue. As a temporary workaround, consider restricting access to the ct check cbc mac and pad() function in tlslite/utils/constanttime.py to minimize the risk of exploitation.