A critical vulnerability has been identified in the GOST engine, a reference implementation of Russian GOST crypto algorithms for OpenSSL. This vulnerability exposes TLS clients to buffer overflow attacks when using the TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite with a server utilizing 512-bit GOST secret keys. This vulnerability has been assigned the identifier CVE-2022-29242.
In this post, we will take a closer look at this vulnerability and discuss its implications on affected systems. We'll review the patch released in GOST engine v3..1 and evaluate the potential workarounds available.
Vulnerability Details
OpenSSL is a widely used software library that provides secure communication for various applications by implementing cryptographic protocols. In particular, the GOST engine implements the Russian GOST crypto algorithms for OpenSSL.
This vulnerability occurs when a TLS client and server negotiate the TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite, and the server employs 512 bit GOST secret keys. The issue manifests as a buffer overflow in GOST engine, allowing a malicious server to execute arbitrary code on a vulnerable client.
Here is a snippet of the problematic code in the GOST engine before the patch
/* gost_ec_key.c */
void gost_ec_key_copy(EC_KEY *dst, const EC_KEY *src)
{
/* ... */
memcpy(dst->private_key, src->private_key, 64);
}
EVP_PKEY *gost_EVP_PKEY_copy(EVP_PKEY *dst, const EVP_PKEY *src)
{
/* ... */
gost_ec_key_copy(dst->ec, src->ec);
}
The buffer overflow occurs due to the memcpy function copying 64 bytes of data from the source key to the destination key, which causes an overflow if the destination buffer is smaller than 64 bytes.
Patch and Workarounds
To address this issue, the GOST engine developers released a patch in v3..1, which can be found here. The patch modifies the gost_ec_key_copy function, adding a check to prevent buffer overflow:
/* gost_ec_key.c */
void gost_ec_key_copy(EC_KEY *dst, const EC_KEY *src)
{
/* ... */
if (src->private_key->len <= dst->private_key->len)
{
memcpy(dst->private_key, src->private_key, src->private_key->len);
}
}
As an alternative to patching, users can disable the TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite on their systems. This can be done by altering the OpenSSL configuration and restarting any services that rely upon OpenSSL. For example, to disable the ciphersuite, you can add the following line to your OpenSSL configuration file:
!TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC
Conclusion
The buffer overflow vulnerability, CVE-2022-29242, in GOST engine can have significant security implications for affected systems. As such, users are advised to either patch their GOST engine to v3..1 or disable the affected ciphersuite as soon as possible.
For more information about the vulnerability and the patch, you can refer to the GOST engine GitHub repository and the CVE-2022-29242 record at the MITRE CVE database.
Timeline
Published on: 05/24/2022 15:15:00 UTC
Last modified on: 06/07/2022 16:54:00 UTC