Vulnerability in OpenSSL - Raccoon Attack

The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman DH based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted...

Vulnerability in OpenSSL - Segmentation fault in SSL_check_chain

Server or client applications that call the SSLcheckchain function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the “signaturealgorithmscert” TLS extension. The crash occurs if an invalid or unrecognised signature algorithm i...

Vulnerability in OpenSSL - rsaz_512_sqr overflow bug on x86_64

There is an overflow bug in the x8664 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are...

Vulnerability in OpenSSL - ECDSA remote timing attack

Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters instead of using a named curve. In those cases it is possible that such a group does not have...

Vulnerability in OpenSSL - Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey

In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted...

Vulnerability in OpenSSL - Fork Protection

OpenSSL 1.1.1 introduced a rewritten random number generator RNG. This was intended to include protection in the event of a fork system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A...

Vulnerability in OpenSSL - Windows builds with insecure path defaults

OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the –prefix / –openssldir configuration options. For OpenSSL versions...

Vulnerability in OpenSSL - ChaCha20-Poly1305 with long nonces

ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value IV should be 96 bits 12 bytes. OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also...

Vulnerability in OpenSSL - 0-byte record padding oracle

If an application encounters a fatal protocol error and then calls SSLshutdown twice once to send a closenotify, and once to receive one then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received...

Vulnerability in OpenSSL - Microarchitecture timing vulnerability in ECC scalar multiplication

OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been shown to be vulnerable to a microarchitecture timing side channel attack. An attacker with sufficient access to mount local timing attacks during ECDSA signature generation could recover the private key. Found by Alejandro...

Vulnerability in OpenSSL - Timing vulnerability in DSA signature generation

The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Found by Samuel Weiser...

Vulnerability in OpenSSL - Timing vulnerability in ECDSA signature generation

The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Found by Samuel Weiser...

Vulnerability in OpenSSL - Client DoS due to large DH parameter

During key agreement in a TLS handshake using a DHE based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This...

Vulnerability in OpenSSL - Cache timing vulnerability in RSA Key Generation

The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Found by Alejandro Cabrera Aldaya, Billy Brumley,...

Vulnerability in OpenSSL - Incorrect CRYPTO_memcmp on HP-UX PA-RISC

Because of an implementation bug the PA-RISC CRYPTOmemcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security...

Vulnerability in OpenSSL - Constructed ASN.1 types with a recursive definition could exceed the stack

Constructed ASN.1 types with a recursive definition such as can be found in PKCS7 could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so...

Vulnerability in OpenSSL - Read/write after SSL object in error state

OpenSSL 1.0.2 starting from version 1.0.2b introduced an “error state” mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the...

Vulnerability in OpenSSL - rsaz_1024_mul_avx2 overflow bug on x86_64

There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attack...

Vulnerability in OpenSSL - bn_sqrx8x_internal carry bug on x86_64

There is a carry propagating bug in the x8664 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible...

Vulnerability in OpenSSL - Malformed X.509 IPAddressFamily could cause OOB read

While parsing an IPAdressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. Found by Google OSS-Fuzz...

Vulnerability in OpenSSL - Encrypt-Then-Mac renegotiation crash

During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake or vice-versa then this can cause OpenSSL to crash dependent on ciphersuite. Both clients and servers are affected. Found by Joe Orton Red Hat...

Vulnerability in OpenSSL - Bad (EC)DHE parameters cause a client crash

If a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack. Found by Guido Vranken...

Vulnerability in OpenSSL - BN_mod_exp may produce incorrect results on x86_64

There is a carry propagating bug in the x8664 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible...

Vulnerability in OpenSSL - Truncated packet could crash via OOB read

If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; user...

Vulnerability in OpenSSL - Montgomery multiplication may produce incorrect results

There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not...

Vulnerability in OpenSSL - ChaCha20/Poly1305 heap-buffer-overflow

TLS connections using -CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to be exploitable beyond a DoS. Found by Robert Święcki Google Security Team...

Vulnerability in OpenSSL - CMS Null dereference

Applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure callback if an attempt is made to free certain invalid encodings...

Vulnerability in OpenSSL - Fix Use After Free for large message sizes

This issue only affects OpenSSL 1.1.0a, released on 22nd September 2016. The patch applied to address CVE-2016-6307 resulted in an issue where if a message larger than approx 16k is received then the underlying buffer to store the incoming message is reallocated and moved. Unfortunately a danglin...

Vulnerability in OpenSSL - Missing CRL sanity check

This issue only affects OpenSSL 1.0.2i, released on 22nd September 2016. A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0 but was omitted from OpenSSL 1.0.2i. As a result any attempt to use CRLs in OpenSSL 1.0.2i will crash with a null pointer exception. Found by Bruce...

Vulnerability in OpenSSL - SSL_peek() hang on empty record

OpenSSL 1.1.0 SSL/TLS will hang during a call to SSLpeek if the peer sends an empty record. This could be exploited by a malicious peer in a Denial Of Service attack. Found by Alex Gaynor...

Vulnerability in OpenSSL - OCSP Status Request extension unbounded memory growth

A malicious client can send an excessively large OCSP Status Request extension. If that client continually requests renegotiation, sending a large OCSP Status Request extension each time, then there will be unbounded memory growth on the server. This will eventually lead to a Denial Of Service...

Vulnerability in OpenSSL - Excessive allocation of memory in dtls1_preprocess_fragment()

A DTLS message includes 3 bytes for its length in the header for the message. This would allow for messages up to 16Mb in length. Messages of this length are excessive and OpenSSL includes a check to ensure that a peer is sending reasonably sized messages in order to avoid too much memory being...

Vulnerability in OpenSSL - Excessive allocation of memory in tls_get_message_header()

A TLS message includes 3 bytes for its length in the header for the message. This would allow for messages up to 16Mb in length. Messages of this length are excessive and OpenSSL includes a check to ensure that a peer is sending reasonably sized messages in order to avoid too much memory being...

Vulnerability in OpenSSL - Certificate message OOB reads

In OpenSSL 1.0.2 and earlier some missing message length checks can result in OOB reads of up to 2 bytes beyond an allocated buffer. There is a theoretical DoS risk but this has not been observed in practice on common platforms. The messages affected are client certificate, client certificate...

Vulnerability in OpenSSL CVE-2016-2183

Because DES and triple-DES has only a 64-bit block size, birthday attacks are a real concern. For example, with the ability to run Javascript in a browser, it is possible to send enough traffic to cause a collision, and then use that information to recover something like a session Cookie...

Vulnerability in OpenSSL - OOB write in MDC2_Update()

An overflow can occur in MDC2Update either if called directly or through the EVPDigestUpdate function using MDC2. If an attacker is able to supply very large amounts of input data after a previous call to EVPEncryptUpdate with a partial block then a length check can overflow resulting in a heap...

Vulnerability in OpenSSL - Malformed SHA512 ticket DoS

If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a DoS attack where a malformed ticket will result in an OOB read which will ultimately crash. The use of SHA512 in TLS session tickets is comparatively rare as it requires a custom server callback and ticket lookup mechanism...

Vulnerability in OpenSSL - DTLS buffered message DoS

In a DTLS connection where handshake messages are delivered out-of-order those messages that OpenSSL is not yet ready to process will be buffered for later use. Under certain circumstances, a flaw in the logic means that those messages do not get removed from the buffer even though the handshake...

Vulnerability in OpenSSL - DTLS replay protection DoS

A flaw in the DTLS replay attack protection mechanism means that records that arrive for future epochs update the replay protection “window” before the MAC for the record has been validated. This could be exploited by an attacker by sending a record for the next epoch which does not have to decry...

Vulnerability in OpenSSL - OOB write in BN_bn2dec()

The function BNbn2dec does not check the return value of BNdivword. This can cause an OOB write if an application uses this function with an overly large BIGNUM. This could be a problem if an overly large certificate or CRL is printed out from an untrusted source. TLS is not affected because reco...

Vulnerability in OpenSSL - OOB read in TS_OBJ_print_bio()

The function TSOBJprintbio misuses OBJobj2txt: the return value is the total length the OID text representation would use and not the amount of data written. This will result in OOB reads when large OIDs are presented. Found by Shi Lei Gear Team, Qihoo 360 Inc...

Vulnerability in OpenSSL - Constant time flag not preserved in DSA signing

Operations in the DSA signing algorithm should run in constant time in order to avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that a non-constant time codepath is followed for certain operations. This has been demonstrated through a cache-timing attack to be sufficien...

Vulnerability in OpenSSL - Pointer arithmetic undefined behaviour

Avoid some undefined pointer arithmetic A common idiom in the codebase is to check limits in the following manner: “p + len limit” Where “p” points to some malloc’d data of SIZE bytes and limit == p + SIZE “len” here could be from some externally supplied data e.g. from a TLS message. The rules o...

Vulnerability in OpenSSL - EBCDIC overread

ASN1 Strings that are over 1024 bytes can cause an overread in applications using the X509NAMEoneline function on EBCDIC systems. This could result in arbitrary stack data being returned in the buffer. Found by Guido Vranken...

Vulnerability in OpenSSL - ASN.1 BIO excessive memory allocation

When ASN.1 data is read from a BIO using functions such as d2iCMSbio a short invalid encoding can casuse allocation of large amounts of memory potentially consuming excessive resources or exhausting memory. Any application parsing untrusted data through d2i BIO functions is affected. The memory...

Vulnerability in OpenSSL - EVP_EncryptUpdate overflow

An overflow can occur in the EVPEncryptUpdate function. If an attacker is able to supply very large amounts of input data after a previous call to EVPEncryptUpdate with a partial block then a length check can overflow resulting in a heap corruption. Following an analysis of all OpenSSL internal...

Vulnerability in OpenSSL - Memory corruption in the ASN.1 encoder

This issue affected versions of OpenSSL prior to April 2015. The bug causing the vulnerability was fixed on April 18th 2015, and released as part of the June 11th 2015 security releases. The security impact of the bug was not known at the time. In previous versions of OpenSSL, ASN.1 encoding the...

Vulnerability in OpenSSL - EVP_EncodeUpdate overflow

An overflow can occur in the EVPEncodeUpdate function which is used for Base64 encoding of binary data. If an attacker is able to supply very large amounts of input data then a length check can overflow resulting in a heap corruption. Internally to OpenSSL the EVPEncodeUpdate function is primarly...

Vulnerability in OpenSSL - Padding oracle in AES-NI CBC MAC check

A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI. This issue was introduced as part of the fix for Lucky 13 padding attack CVE-2013-0169. The padding check was rewritten to be in constant time by making sur...

Vulnerability in OpenSSL - Side channel attack on modular exponentiation

A side-channel attack was found which makes use of cache-bank conflicts on the Intel Sandy-Bridge microarchitecture which could lead to the recovery of RSA keys. The ability to exploit this issue is limited as it relies on an attacker who has control of code in a thread running on the same...