The POLY1305 MAC (message authentication code) implementation in OpenSSL has been found to contain a bug that might corrupt the internal state of applications running on the Windows 64 platform when using newer X86_64 processors that support the AVX512-IFMA instructions.

Impact Summary

If an attacker can influence whether the POLY1305 MAC algorithm is used in an application that uses the OpenSSL library, the application state might be corrupted, leading to a variety of application-dependent consequences. The issue has been classified as a Low severity security issue due to a lack of known affected applications, but its impact could range from minor incorrect calculations to complete control of the application process by an attacker.

Affected Code Snippet

The vulnerability specifically lies in the code responsible for calculating the MAC of data larger than 64 bytes. OpenSSL does not save the contents of non-volatile XMM registers on the Windows 64 platform, and instead sets all XMM registers to zero rather than restoring their previous content.

The vulnerable code is used only on newer x86_64 processors that support the AVX512-IFMA instructions. The consequences of this internal application state corruption can vary depending on how the calling application uses these registers, and the specific nature of the affected calculations.

Exploit Details

A common usage of the POLY1305 MAC algorithm is within the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm, which is often employed by TLS protocol versions 1.2 and 1.3. A malicious client can influence whether this AEAD cipher is used by the server and potentially impact server applications that use OpenSSL.

Although no specific affected applications have been identified yet, this vulnerability does present the potential for attackers to exploit application states and potentially gain control over the application process. The most likely outcome in cases of successful exploitation would be inaccurate calculations or crashing, leading to a denial of service.

Workarounds and Mitigations

To mitigate this vulnerability, the AVX512-IFMA instructions support can be disabled at runtime by setting the environment variable OPENSSL_ia32cap:

OPENSSL_ia32cap=:~x200000

It is important to note that the FIPS provider is not affected by this issue.

References

- Original OpenSSL Security Advisory: Link
- CVE-2023-4807 Details: Link
- Description of the Issue in OpenSSL GitHub: Link

In conclusion, the CVE-2023-4807 vulnerability in the POLY1305 MAC implementation in OpenSSL can lead to potential application state corruption on Windows 64 platforms using newer X86_64 processors that support AVX512-IFMA instructions. Although this issue is currently classified as low severity, users should be aware of the potential consequences and implement the workaround provided to mitigate the risk.

Timeline

Published on: 09/08/2023 12:15:00 UTC
Last modified on: 09/14/2023 16:43:00 UTC