Vulnerability in OpenSSL - Timing vulnerability in DSA signature generation

The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Found by Samuel Weiser...

Vulnerability in OpenSSL - bn_sqrx8x_internal carry bug on x86_64

There is a carry propagating bug in the x8664 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible...

Vulnerability in OpenSSL - OCSP Status Request extension unbounded memory growth

A malicious client can send an excessively large OCSP Status Request extension. If that client continually requests renegotiation, sending a large OCSP Status Request extension each time, then there will be unbounded memory growth on the server. This will eventually lead to a Denial Of Service...

Vulnerability in OpenSSL - Cross-protocol attack on TLS using SSLv2 (DROWN)

A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting...

Vulnerability in OpenSSL - Incorrect SSLv2 rollback protection

OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater th...

Vulnerability in OpenSSL - AES OCB fails to encrypt some bytes

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn’t written. In the special case of “in place” encryption...

Vulnerability in OpenSSL - X.509 Name Constraints Read Buffer Overflow

A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate...

Vulnerability in OpenSSL - Microarchitecture timing vulnerability in ECC scalar multiplication

OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been shown to be vulnerable to a microarchitecture timing side channel attack. An attacker with sufficient access to mount local timing attacks during ECDSA signature generation could recover the private key. Found by Alejandro...

Vulnerability in OpenSSL - Montgomery multiplication may produce incorrect results

There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not...

Vulnerability in OpenSSL - Segmentation fault in DTLSv1_listen

Segmentation fault in DTLSv1listen. A defect in the implementation of DTLSv1listen means that state is preserved in the SSL object from one invocation to the next that can lead to a segmentation fault. Errors processing the initial ClientHello can trigger this scenario. An example of such an erro...

Vulnerability in OpenSSL CVE-2002-0659

A flaw in the ASN1 library allowed remote attackers to cause a denial of service by sending invalid encodings...

Vulnerability in OpenSSL CVE-2009-3245

It was discovered that OpenSSL did not always check the return value of the bnwexpand function. An attacker able to trigger a memory allocation failure in that function could cause an application using the OpenSSL library to crash or, possibly, execute arbitrary code. Found by Martin Olsson, Neel...

Vulnerability in OpenSSL - ECDHE silently downgrades to ECDH [Client]

An OpenSSL client will accept a handshake using an ephemeral ECDH ciphersuite using an ECDSA certificate if the server key exchange message is omitted. This effectively removes forward secrecy from the ciphersuite. Found by Karthikeyan Bhargavan of the PROSECCO team at INRIA...

Vulnerability in OpenSSL - Timing vulnerability in ECDSA signature generation

The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Found by Samuel Weiser...

Vulnerability in OpenSSL - Bignum squaring may produce incorrect results

Bignum squaring BNsqr may produce incorrect results on some platforms, including x8664. This bug occurs at random with a very low probability, and is not known to be exploitable in any way, though its exact impact is difficult to determine. The following has been determined: The probability of...

Vulnerability in OpenSSL - Possible denial of service in X.509 name checks

Issue summary : Applications performing certificate name checks e.g., TLS clients checking server certificates may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary : Abnormal termination of an application can a cause a denial o...

Vulnerability in OpenSSL - ChaCha20-Poly1305 with long nonces

ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value IV should be 96 bits 12 bytes. OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also...

Vulnerability in OpenSSL - SSL, TLS and DTLS Plaintext Recovery Attack

A weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS which could lead to plaintext recovery by exploiting timing differences arising during MAC processing. Found by Nadhem J. AlFardan and Kenneth G. Paterson of the Information Security Group Royal Holloway, University of London...

Vulnerability in OpenSSL CVE-2010-4252

An error in OpenSSL’s experimental J-PAKE implementation which could lead to successful validation by someone with no knowledge of the shared secret. The OpenSSL Team still consider the implementation of J-PAKE to be experimental and is not compiled by default. Found by Sebastian Martini...

Vulnerability in OpenSSL - Fix memory issues in BIO_*printf functions

The internal |fmtstr| function used in processing a “%s” format string in the BIOprintf functions could overflow while calculating the length of a string and cause an OOB read when printing very long strings. Additionally the internal |doaproutch| function can attempt to write to an OOB memory...

Vulnerability in OpenSSL - no-ssl3 configuration sets method to NULL

When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl method would be set to NULL which could later result in a NULL pointer dereference. Found by Frank Schmirler...

Vulnerability in OpenSSL CVE-2009-3555

Implement RFC5746 to address vulnerabilities in SSL/TLS renegotiation...

Vulnerability in OpenSSL - Excessive time spent checking invalid RSA public keys

Issue summary : Checking excessively long invalid RSA public keys may take a long time. Impact summary : Applications that use the function EVPPKEYpubliccheck to check RSA public keys may experience long delays. Where the key that is being checked has been obtained from an untrusted source this m...

Vulnerability in OpenSSL - Certificate message OOB reads

In OpenSSL 1.0.2 and earlier some missing message length checks can result in OOB reads of up to 2 bytes beyond an allocated buffer. There is a theoretical DoS risk but this has not been observed in practice on common platforms. The messages affected are client certificate, client certificate...

Vulnerability in OpenSSL - Constructed ASN.1 types with a recursive definition could exceed the stack

Constructed ASN.1 types with a recursive definition such as can be found in PKCS7 could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so...

Vulnerability in OpenSSL - Incorrect cipher key & IV length processing

Issue summary : A bug has been identified in the processing of key and initialisation vector IV lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary : A truncation in the IV can result in non-uniqueness, which could result ...

Vulnerability in OpenSSL - SSL_peek() hang on empty record

OpenSSL 1.1.0 SSL/TLS will hang during a call to SSLpeek if the peer sends an empty record. This could be exploited by a malicious peer in a Denial Of Service attack. Found by Alex Gaynor...

Vulnerability in OpenSSL - X.509 Email Address 4-byte Buffer Overflow

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate...

Vulnerability in OpenSSL - 0-byte record padding oracle

If an application encounters a fatal protocol error and then calls SSLshutdown twice once to send a closenotify, and once to receive one then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received...

Vulnerability in OpenSSL - SSLv2 doesn't block disabled ciphers

A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSLOPNOSSLv2. Found by Nimrod Aviram and Sebastian Schinzel...

Vulnerability in OpenSSL - SSL_MODE_RELEASE_BUFFERS session injection or denial of service

A race condition in the ssl3readbytes function can allow remote attackers to inject data across sessions or cause a denial of service. This flaw only affects multithreaded applications using OpenSSL 1.0.0 and 1.0.1, where SSLMODERELEASEBUFFERS is enabled, which is not the default and not common...

Vulnerability in OpenSSL - RSA silently downgrades to EXPORT_RSA [Client]

An OpenSSL client will accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. A server could present a weak temporary key and downgrade the security of the session. Found by Karthikeyan Bhargavan of the PROSECCO team at INRIA...

Vulnerability in OpenSSL - Excessive Resource Usage Verifying X.509 Policy Constraints

A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of...

Vulnerability in OpenSSL - SSL_get_shared_ciphers() buffer overflow

A buffer overflow was discovered in the SSLgetsharedciphers utility function. An attacker could send a list of ciphers to an application that uses this function and overrun a buffer. Found by openssl...

Vulnerability in OpenSSL CVE-2004-0081

The Codenomicon TLS Test Tool found that some unknown message types were handled incorrectly, allowing a remote attacker to cause a denial of service infinite loop. Found by OpenSSL group...

Vulnerability in OpenSSL - Truncated packet could crash via OOB read

If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; user...

Vulnerability in OpenSSL - Side channel attack on modular exponentiation

A side-channel attack was found which makes use of cache-bank conflicts on the Intel Sandy-Bridge microarchitecture which could lead to the recovery of RSA keys. The ability to exploit this issue is limited as it relies on an attacker who has control of code in a thread running on the same...

Vulnerability in OpenSSL - Divide-and-conquer session key recovery in SSLv2

This issue only affected versions of OpenSSL prior to March 19th 2015 at which time the code was refactored to address vulnerability CVE-2015-0293. s2srvr.c did not enforce that clear-key-length is 0 for non-export ciphers. If clear-key bytes are present for these ciphers, they displace...

Vulnerability in OpenSSL - Possible DoS translating ASN.1 object identifiers

Issue summary : Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary : Applications that use OBJobj2txt directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience...

Vulnerability in OpenSSL - CMS verify infinite loop with unknown hash function

When verifying a signedData message the CMS code can enter an infinite loop if presented with an unknown hash function OID. This can be used to perform denial of service against any system which verifies signedData messages using the CMS code. Found by Johannes Bauer...

Vulnerability in OpenSSL - Race condition handling NewSessionTicket

If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data. Found by Emilia Käsper OpenSSL...

Vulnerability in OpenSSL - Session Ticket Memory Leak

When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. By sending a large number of invalid session tickets an attacker could...

Vulnerability in OpenSSL - X.509 Email Address Variable Length Buffer Overflow

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate...

Vulnerability in OpenSSL - Client DoS due to large DH parameter

During key agreement in a TLS handshake using a DHE based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This...

Vulnerability in OpenSSL - PKCS7 crash with missing EnvelopedContent

The PKCS7 parsing code does not handle missing inner EncryptedContent correctly. An attacker can craft malformed ASN.1-encoded PKCS7 blobs with missing content and trigger a NULL pointer dereference on parsing. Applications that decrypt PKCS7 data or otherwise parse PKCS7 structures from untruste...

Vulnerability in OpenSSL - Incorrect CRYPTO_memcmp on HP-UX PA-RISC

Because of an implementation bug the PA-RISC CRYPTOmemcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security...

Vulnerability in OpenSSL - Constant time flag not preserved in DSA signing

Operations in the DSA signing algorithm should run in constant time in order to avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that a non-constant time codepath is followed for certain operations. This has been demonstrated through a cache-timing attack to be sufficien...

Vulnerability in OpenSSL - Pointer arithmetic undefined behaviour

Avoid some undefined pointer arithmetic A common idiom in the codebase is to check limits in the following manner: “p + len limit” Where “p” points to some malloc’d data of SIZE bytes and limit == p + SIZE “len” here could be from some externally supplied data e.g. from a TLS message. The rules o...

Vulnerability in OpenSSL CVE-2003-0543

An integer overflow could allow remote attackers to cause a denial of service crash via an SSL client certificate with certain ASN.1 tag values. Found by NISCC...

Vulnerability in OpenSSL - X.509 Policy Constraints Double Locking

If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems most widely: Windows this results in a denial of service when the affected process hangs. Policy processing being enabled o...