Vulnerability in OpenSSL - SM2 Decryption Buffer Overflow

In order to decrypt SM2 encrypted data an application is expected to call the API function EVPPKEYdecrypt. Typically an application will call this function twice. The first time, on entry, the “out” parameter can be NULL and, on exit, the “outlen” parameter is populated with the buffer size...

Vulnerability in OpenSSL - EDIPARTYNAME NULL pointer de-reference

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERALNAMEcmp which compares different instances of a GENERALNAME to see if they are equal or not. This function behaves incorrect...

Vulnerability in OpenSSL - Padding oracle in AES-NI CBC MAC check

A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI. This issue was introduced as part of the fix for Lucky 13 padding attack CVE-2013-0169. The padding check was rewritten to be in constant time by making sur...

Vulnerability in OpenSSL - The c_rehash script allows command injection

The crehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the...

Vulnerability in OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT

The X509VFLAGX509STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an...

Vulnerability in OpenSSL - Integer overflow in CipherUpdate

Calls to EVPCipherUpdate, EVPEncryptUpdate and EVPDecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 indicating succes...

Vulnerability in OpenSSL - Read buffer overruns processing ASN.1 strings

ASN.1 strings are represented internally within OpenSSL as an ASN1STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL 0 byte...

Vulnerability in OpenSSL - Raccoon Attack

The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman DH based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted...

Vulnerability in OpenSSL - SSL_select_next_proto buffer overread

Issue summary : Calling the OpenSSL API function SSLselectnextproto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary : A buffer overread can have a range of potential consequences such as unexpected application beahviour o...

Vulnerability in OpenSSL - Null pointer deref in X509_issuer_and_serial_hash()

The OpenSSL public API function X509issuerandserialhash attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field which might occur if the...

Vulnerability in OpenSSL - Read/write after SSL object in error state

OpenSSL 1.0.2 starting from version 1.0.2b introduced an “error state” mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the...

Vulnerability in OpenSSL - The c_rehash script allows command injection

In addition to the crehash shell command injection identified in CVE-2022-1292, further circumstances where the crehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there...

Vulnerability in OpenSSL - SSL/TLS MITM vulnerability

An attacker can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle MITM attack where the attacker can decrypt and modify traffic from the attacked client and server. Found by KIKUCHI Masashi Lepidum Co. Ltd...

Vulnerability in OpenSSL - Infinite loop in BN_mod_sqrt() reachable when parsing certificates

The BNmodsqrt function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a...

Vulnerability in OpenSSL - Memory corruption in the ASN.1 encoder

This issue affected versions of OpenSSL prior to April 2015. The bug causing the vulnerability was fixed on April 18th 2015, and released as part of the June 11th 2015 security releases. The security impact of the bug was not known at the time. In previous versions of OpenSSL, ASN.1 encoding the...

Vulnerability in OpenSSL - rsaz_512_sqr overflow bug on x86_64

There is an overflow bug in the x8664 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are...

Vulnerability in OpenSSL - Use After Free with SSL_free_buffers

Issue summary : Calling the OpenSSL API function SSLfreebuffers may cause memory to be accessed that was previously freed in some situations Impact summary : A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code...

Vulnerability in OpenSSL - NULL pointer deref in signature_algorithms processing

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signaturealgorithms extension where it was present in the initial ClientHello, but includes a signaturealgorithmscert extension then a NU...

Vulnerability in OpenSSL - ECDSA remote timing attack

Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters instead of using a named curve. In those cases it is possible that such a group does not have...

Vulnerability in OpenSSL CVE-2002-0656

A buffer overflow allowed remote attackers to execute arbitrary code by sending a large client master key in SSL2 or a large session ID in SSL3. Found by OpenSSL Group A.L. Digital...

Vulnerability in OpenSSL - X.400 address type confusion in X.509 GeneralName

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1STRING but the public structure definition for GENERALNAME incorrectly specified the type of the x400Address field as ASN1TYPE. This field is subsequentl...

Vulnerability in OpenSSL - BN_mod_exp may produce incorrect results on MIPS

There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis...

Vulnerability in OpenSSL - Base64 decode

A vulnerability existed in previous versions of OpenSSL related to the processing of base64 encoded data. Any code path that reads base64 data from an untrusted source could be affected such as the PEM processing routines. Maliciously crafted base 64 data could trigger a segmenation fault or memo...

Vulnerability in OpenSSL CVE-2016-2183

Because DES and triple-DES has only a 64-bit block size, birthday attacks are a real concern. For example, with the ability to run Javascript in a browser, it is possible to send enough traffic to cause a collision, and then use that information to recover something like a session Cookie...

Vulnerability in OpenSSL - Timing Oracle in RSA Decryption

A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages fo...

Vulnerability in OpenSSL - Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey

In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted...

Vulnerability in OpenSSL - Windows builds with insecure path defaults

OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the –prefix / –openssldir configuration options. For OpenSSL versions...

Vulnerability in OpenSSL - POLY1305 MAC implementation corrupts vector registers on PowerPC

Issue summary : The POLY1305 MAC message authentication code implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions. Impact summary : If an attacker can influence whether the POLY1305 MAC...

Vulnerability in OpenSSL - Unbounded memory growth with session handling in TLSv1.3

Issue summary : Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary : An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in...

Vulnerability in OpenSSL - Double free after calling PEM_read_bio_ex

The function PEMreadbioex reads a PEM file from a BIO and parses and decodes the “name” e.g. “CERTIFICATE”, any header data and the payload data. If the function succeeds then the “nameout”, “header” and “data” arguments are populated with pointers to buffers containing the relevant decoded data...

Vulnerability in OpenSSL - Excessive time spent checking DSA keys and parameters

Issue summary : Checking excessively long DSA keys or parameters may be very slow. Impact summary : Applications that use the functions EVPPKEYparamcheck or EVPPKEYpubliccheck to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checke...

Vulnerability in OpenSSL - Fork Protection

OpenSSL 1.1.1 introduced a rewritten random number generator RNG. This was intended to include protection in the event of a fork system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A...

Vulnerability in OpenSSL - TLS heartbeat read overrun

A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server a.k.a. Heartbleed. This issue did not affect versions of OpenSSL prior to 1.0.1. Found by Neel Mehta...

Vulnerability in OpenSSL - PKCS12 Decoding crashes

Issue summary : Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary : Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificat...

Vulnerability in OpenSSL - Cache timing vulnerability in RSA Key Generation

The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Found by Alejandro Cabrera Aldaya, Billy Brumley,...

Vulnerability in OpenSSL - Use-after-free following BIO_new_NDEF

The public API function BIOnewNDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the...

Vulnerability in OpenSSL - DTLS buffered message DoS

In a DTLS connection where handshake messages are delivered out-of-order those messages that OpenSSL is not yet ready to process will be buffered for later use. Under certain circumstances, a flaw in the logic means that those messages do not get removed from the buffer even though the handshake...

Vulnerability in OpenSSL - Certificate policy check not enabled

The function X509VERIFYPARAMadd0policy is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate...

Vulnerability in OpenSSL - Malformed SHA512 ticket DoS

If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a DoS attack where a malformed ticket will result in an OOB read which will ultimately crash. The use of SHA512 in TLS session tickets is comparatively rare as it requires a custom server callback and ticket lookup mechanism...

Vulnerability in OpenSSL - Low-level invalid GF(2^m) parameters lead to OOB memory access

Issue summary : Use of the low-level GF2^m elliptic curve APIs with untrusted explicit values for the field polynomial can lead to out-of-bounds memory reads or writes. Impact summary : Out of bound memory writes can lead to an application crash or even a possibility of a remote code execution,...

Vulnerability in OpenSSL - Malformed ECParameters causes infinite loop

When processing an ECParameters structure OpenSSL enters an infinite loop if the curve specified is over a specially malformed binary polynomial field. This can be used to perform denial of service against any system which processes public keys, certificate requests or certificates. This includes...

Vulnerability in OpenSSL - Excessive time spent in DH check / generation with large Q parameter value

Issue summary : Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary : Applications that use the functions DHgeneratekey to generate an X9.42 DH key may experience long delays. Likewise, applications that use...

Vulnerability in OpenSSL - Segmentation fault in SSL_check_chain

Server or client applications that call the SSLcheckchain function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the “signaturealgorithmscert” TLS extension. The crash occurs if an invalid or unrecognised signature algorithm i...

Vulnerability in OpenSSL - Malformed X.509 IPAddressFamily could cause OOB read

While parsing an IPAdressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. Found by Google OSS-Fuzz...

Vulnerability in OpenSSL - EVP_EncodeUpdate overflow

An overflow can occur in the EVPEncodeUpdate function which is used for Base64 encoding of binary data. If an attacker is able to supply very large amounts of input data then a length check can overflow resulting in a heap corruption. Internally to OpenSSL the EVPEncodeUpdate function is primarly...

Vulnerability in OpenSSL - POLY1305 MAC implementation corrupts XMM registers on Windows

Issue summary : The POLY1305 MAC message authentication code implementation contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X8664 processors supporting the AVX512-IFMA instructions. Impact summary : If in an application that us...

Vulnerability in OpenSSL - rsaz_1024_mul_avx2 overflow bug on x86_64

There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attack...

Vulnerability in OpenSSL - BN_mod_exp may produce incorrect results on x86_64

There is a carry propagating bug in the x8664 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible...

Vulnerability in OpenSSL - ChaCha20/Poly1305 heap-buffer-overflow

TLS connections using -CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to be exploitable beyond a DoS. Found by Robert Święcki Google Security Team...

Vulnerability in OpenSSL - Double-free in DSA code

A double free bug was discovered when OpenSSL parses malformed DSA private keys and could lead to a DoS attack or memory corruption for applications that receive DSA private keys from untrusted sources. This scenario is considered rare. Found by Adam Langley Google/BoringSSL...