9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.052 Low
EPSS
Percentile
91.8%
CVE-2021-3711
In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the “out” parameter can be NULL and, on exit, the “outlen” parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the “out” parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small.
Reproduce step:
Examples of data that triggered the vulnerability
3072022070DAD60CDA7C30D64CF4F278A849003581223F5324BFEC9BB329229BFFAD21A6021F18AFAB2B35459D2643243B242BE4EA80C6FA5071D2D847340CC57EB9309E5D04200B772E4DB664B2601E3B85E39E4DB664B2601E3B85E39C4AA308BE13588C301308E3588C01308E3588E3308E4
3072 //30 indicates the SEQUENCE type, 72 indicates that the total length of the subsequent data is 114 bytes
0220 //02 means INTEGER type, 20 means the length of the integer is 32 bytes
70DAD60CDA7C30D64CF4F278A849003581223F5324BFEC9BB329229BFFAD21A6 //32-byte XCoordinate
021F //02 means INTEGER type, 1F means the length of the integer is 31 bytes
18AFAB2B35459D2643243B242BE4EA80C6FA5071D2D847340CC57EB9309E5D //31-byte YCoordinate
0420 //04 means OCTETSTRING type, 20 means the length of the string is 32 bytes
0B772E4DB664B2601E3B85E39C4AA8C2C1910308BE13B331E009C5A9258C29FD //32-byte HASH
040B //04 means OCTETSTRING type, 0B means the length of the string is 11 bytes
6D588BE9260A94DA18E0E6 //11-byte ciphertext
After verification, the above-mentioned XCoordinate and YCoordinate satisfy the SM2 elliptic curve equation.
10 bytes of memory are allocated through OPENSSL_malloc, and out points to this memory.
The second call to pkey_sm2_decrypt, since the ciphertext has 11 bytes, the decryption result is also 11 bytes.
The memory pointed to by out is 10 bytes, and the decrypted result is 11 bytes, resulting in 1 byte being written out of bounds.
A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated.
OpenSSL versions 1.1.1k and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1l.
OpenSSL 1.0.2 is not impacted by this issue.
OpenSSL 3.0 alpha/beta releases are also affected but this issue will be addressed before the final release.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.052 Low
EPSS
Percentile
91.8%