7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.004 Low
EPSS
Percentile
68.2%
This report relates to CVE-2019-1543, https://www.openssl.org/news/secadv/20190306.txt, which I reported to the OpenSSL maintainers a few days ago.
OpenSSL accepts nonces for the AEAD cipher ChaCha20-Poly1305 of up to 16-bytes. This support is advertised in the OpenSSL documentation and via the CHACHA_CTR_SIZE (16) constant.
However, the specification for ChaCha20-Poly1305 supports only up to 12-bytes.
If a user passes a 16-byte nonce to OpenSSL, OpenSSL will discard the first 4-bytes of the nonce.
The maintainers classified the severity of this as LOW since it only affects user applications of OpenSSL, while at the same time recognizing the severity of this for these user applications as MEDIUM (or “serious” and “catastrophic” in the words of two maintainers).
This breaks the guarantees provided by OpenSSL to user applications in two ways:
These first 4-bytes are not authenticated, breaking the integrity guarantees of the AEAD cipher, and allowing an attacker to tamper with 4-bytes of the AEAD message. This in itself is serious for applications which rely on AEAD ciphers to detect message tampering and/or message corruption.
This introduces the likelihood of nonce-reuse, since the most significant 4-bytes of nonce entropy are discarded by OpenSSL, for example, where a user provides a 32-bit nonce counter in a statically allocated 16-byte buffer to OpenSSL. Nonce-reuse is catastrophic for an AEAD cipher such as ChaCha20-Poly1305, as it would allow an attacker to completely decrypt all sensitive information.
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.004 Low
EPSS
Percentile
68.2%