Vulnerability in OpenSSL - Low-level invalid GF(2^m) parameters lead to OOB memory access

Issue summary : Use of the low-level GF2^m elliptic curve APIs with untrusted explicit values for the field polynomial can lead to out-of-bounds memory reads or writes. Impact summary : Out of bound memory writes can lead to an application crash or even a possibility of a remote code execution,...

Vulnerability in OpenSSL - Possible denial of service in X.509 name checks

Issue summary : Applications performing certificate name checks e.g., TLS clients checking server certificates may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary : Abnormal termination of an application can a cause a denial o...

Vulnerability in OpenSSL - SSL_select_next_proto buffer overread

Issue summary : Calling the OpenSSL API function SSLselectnextproto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary : A buffer overread can have a range of potential consequences such as unexpected application beahviour o...

Vulnerability in OpenSSL - Use After Free with SSL_free_buffers

Issue summary : Calling the OpenSSL API function SSLfreebuffers may cause memory to be accessed that was previously freed in some situations Impact summary : A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code...

Vulnerability in OpenSSL - Excessive time spent checking DSA keys and parameters

Issue summary : Checking excessively long DSA keys or parameters may be very slow. Impact summary : Applications that use the functions EVPPKEYparamcheck or EVPPKEYpubliccheck to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checke...

Vulnerability in OpenSSL - Unbounded memory growth with session handling in TLSv1.3

Issue summary : Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary : An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in...

Vulnerability in OpenSSL - PKCS12 Decoding crashes

Issue summary : Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary : Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificat...

Vulnerability in OpenSSL - Excessive time spent checking invalid RSA public keys

Issue summary : Checking excessively long invalid RSA public keys may take a long time. Impact summary : Applications that use the function EVPPKEYpubliccheck to check RSA public keys may experience long delays. Where the key that is being checked has been obtained from an untrusted source this m...

Vulnerability in OpenSSL - POLY1305 MAC implementation corrupts vector registers on PowerPC

Issue summary : The POLY1305 MAC message authentication code implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions. Impact summary : If an attacker can influence whether the POLY1305 MAC...

Vulnerability in OpenSSL - Excessive time spent in DH check / generation with large Q parameter value

Issue summary : Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary : Applications that use the functions DHgeneratekey to generate an X9.42 DH key may experience long delays. Likewise, applications that use...

Vulnerability in OpenSSL - Incorrect cipher key & IV length processing

Issue summary : A bug has been identified in the processing of key and initialisation vector IV lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary : A truncation in the IV can result in non-uniqueness, which could result ...

Vulnerability in OpenSSL - POLY1305 MAC implementation corrupts XMM registers on Windows

Issue summary : The POLY1305 MAC message authentication code implementation contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X8664 processors supporting the AVX512-IFMA instructions. Impact summary : If in an application that us...

Vulnerability in OpenSSL - Excessive time spent checking DH q parameter value

Issue summary : Checking excessively long DH keys or parameters may be very slow. Impact summary : Applications that use the functions DHcheck, DHcheckex or EVPPKEYparamcheck to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have bee...

Vulnerability in OpenSSL - Excessive time spent checking DH keys and parameters

Issue summary : Checking excessively long DH keys or parameters may be very slow. Impact summary : Applications that use the functions DHcheck, DHcheckex or EVPPKEYparamcheck to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have bee...

Vulnerability in OpenSSL - AES-SIV implementation ignores empty associated data entries

Issue summary : The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence. Impact summary : Applications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data can be...

Vulnerability in OpenSSL - Possible DoS translating ASN.1 object identifiers

Issue summary : Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary : Applications that use OBJobj2txt directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience...

Vulnerability in OpenSSL - Invalid certificate policies in leaf certificates are silently ignored

Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that...

Vulnerability in OpenSSL - Certificate policy check not enabled

The function X509VERIFYPARAMadd0policy is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate...

Vulnerability in OpenSSL - Excessive Resource Usage Verifying X.509 Policy Constraints

A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of...

Vulnerability in OpenSSL CVE-2023-1255

Issue summary : The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a bug that could cause it to read past the input buffer, leading to a crash. Impact summary : Applications that use the AES-XTS algorithm on the 64 bit ARM platform can crash in rare circumstances. The...

Vulnerability in OpenSSL - Double free after calling PEM_read_bio_ex

The function PEMreadbioex reads a PEM file from a BIO and parses and decodes the “name” e.g. “CERTIFICATE”, any header data and the payload data. If the function succeeds then the “nameout”, “header” and “data” arguments are populated with pointers to buffers containing the relevant decoded data...

Vulnerability in OpenSSL - Invalid pointer dereference in d2i_PKCS7 functions

An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2iPKCS7, d2iPKCS7bio or d2iPKCS7fp functions. The result of the dereference is an application crash which could lead to a denial of service attack. The TLS implementation in...

Vulnerability in OpenSSL - NULL dereference validating DSA public key

An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVPPKEYpubliccheck function. This will most likely lead to an application crash. This function can be called on public keys supplied from untrusted sources which could allo...

Vulnerability in OpenSSL - Use-after-free following BIO_new_NDEF

The public API function BIOnewNDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the...

Vulnerability in OpenSSL - X.400 address type confusion in X.509 GeneralName

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1STRING but the public structure definition for GENERALNAME incorrectly specified the type of the x400Address field as ASN1TYPE. This field is subsequentl...

Vulnerability in OpenSSL - X.509 Name Constraints Read Buffer Overflow

A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate...

Vulnerability in OpenSSL - Timing Oracle in RSA Decryption

A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages fo...

Vulnerability in OpenSSL - NULL dereference during PKCS7 data verification

A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest initialization will fail...

Vulnerability in OpenSSL - X.509 Policy Constraints Double Locking

If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems most widely: Windows this results in a denial of service when the affected process hangs. Policy processing being enabled o...

Vulnerability in OpenSSL - X.509 Email Address 4-byte Buffer Overflow

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate...

Vulnerability in OpenSSL - X.509 Email Address Variable Length Buffer Overflow

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate...

Vulnerability in OpenSSL - Using a Custom Cipher with NID_undef may lead to NULL encryption

OpenSSL supports creating a custom cipher via the legacy EVPCIPHERmethnew function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0...

Vulnerability in OpenSSL - Heap memory corruption with RSA private key operation

The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X8664 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a...

Vulnerability in OpenSSL - AES OCB fails to encrypt some bytes

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn’t written. In the special case of “in place” encryption...

Vulnerability in OpenSSL - The c_rehash script allows command injection

In addition to the crehash shell command injection identified in CVE-2022-1292, further circumstances where the crehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there...

Vulnerability in OpenSSL - Resource leakage when decoding certificates and keys

The OPENSSLLHflush function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will...

Vulnerability in OpenSSL - Incorrect MAC key used in the RC4-MD5 ciphersuite

The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipie...

Vulnerability in OpenSSL - OCSP_basic_verify may incorrectly verify the response signing certificate

The function OCSPbasicverify verifies the signer certificate on an OCSP response. In the case where the non-default flag OCSPNOCHECKS is used then the response will be positive meaning a successful verification even in the case where the response signing certificate fails to verify. It is...

Vulnerability in OpenSSL - The c_rehash script allows command injection

The crehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the...

Vulnerability in OpenSSL - Infinite loop in BN_mod_sqrt() reachable when parsing certificates

The BNmodsqrt function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a...

Vulnerability in OpenSSL - BN_mod_exp may produce incorrect results on MIPS

There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis...

Vulnerability in OpenSSL - Invalid handling of X509_verify_cert() internal errors in libssl

Internally libssl in OpenSSL calls X509verifycert on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error for example out of memory. Such a negative return value is mishandled by OpenSSL and will cause an IO...

Vulnerability in OpenSSL - Read buffer overruns processing ASN.1 strings

ASN.1 strings are represented internally within OpenSSL as an ASN1STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL 0 byte...

Vulnerability in OpenSSL - SM2 Decryption Buffer Overflow

In order to decrypt SM2 encrypted data an application is expected to call the API function EVPPKEYdecrypt. Typically an application will call this function twice. The first time, on entry, the “out” parameter can be NULL and, on exit, the “outlen” parameter is populated with the buffer size...

Vulnerability in OpenSSL - NULL pointer deref in signature_algorithms processing

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signaturealgorithms extension where it was present in the initial ClientHello, but includes a signaturealgorithmscert extension then a NU...

Vulnerability in OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT

The X509VFLAGX509STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an...

Vulnerability in OpenSSL - Incorrect SSLv2 rollback protection

OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater th...

Vulnerability in OpenSSL - Integer overflow in CipherUpdate

Calls to EVPCipherUpdate, EVPEncryptUpdate and EVPDecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 indicating succes...

Vulnerability in OpenSSL - Null pointer deref in X509_issuer_and_serial_hash()

The OpenSSL public API function X509issuerandserialhash attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field which might occur if the...

Vulnerability in OpenSSL - EDIPARTYNAME NULL pointer de-reference

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERALNAMEcmp which compares different instances of a GENERALNAME to see if they are equal or not. This function behaves incorrect...