A critical security bug, identified as CVE-2023-5363, has been discovered in OpenSSL 3.1 and 3., affecting the processing of key and initialization vector (IV) lengths. Specifically, this bug can result in potential truncation or overruns during the initialization of some symmetric ciphers. This critical issue can lead to loss of confidentiality for some cipher modes.

Original references can be found here

- OpenSSL Security Advisory
- NIST SP 800-38D: Recommendation for Block Cipher Modes of Operation (PDF)

Impact Summary

A truncation in the IV can cause non-uniqueness, leading to a loss of confidentiality for affected cipher modes. The impacted ciphers and cipher modes include RC2, RC4, RC5, CCM, GCM, and OCB.

For the CCM, GCM, and OCB cipher modes, IV truncation can result in loss of confidentiality. For example, when following NIST's SP 800-38D section 8.2.1 guidance in constructing a deterministic IV for AES in GCM mode, truncation of the counter portion can lead to IV reuse.

Additionally, truncations and overruns of the key and IV may produce incorrect encryption/decryption results and potentially trigger a memory exception. Although these issues are not currently considered security-critical, their implications should not be ignored.

Affected API Call Example

In affected OpenSSL versions, when calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2(), or EVP_CipherInit_ex2(), the provided OSSL_PARAM array is processed after the key and IV have been established. Any alterations to the key length (via the "keylen" parameter) or the IV length (via the "ivlen" parameter) within the OSSL_PARAM array will not take effect as intended. This can potentially cause truncation or overreading of these values.

Here's a code snippet illustrating an affected API call

OSSL_PARAM params[] = {
    OSSL_PARAM_construct_size_t("keylen", &keylen_new),
    OSSL_PARAM_construct_size_t("ivlen", &ivlen_new),
    OSSL_PARAM_END
};

EVP_EncryptInit_ex2(ctx, cipher, NULL, key, iv, params);

Overall Severity and Recommendations

Changing the key and IV lengths is not considered common, and the vulnerable API was recently introduced. It is likely that application developers would have spotted this problem during testing since decryption would fail unless both peers in the communication were similarly vulnerable. Due to these reasons, the probability of an application being vulnerable is considered low. However, if an application is vulnerable, this issue is considered very serious.

Therefore, this bug has been assessed as having moderate severity overall. As there is no impact on the OpenSSL SSL/TLS implementation and the OpenSSL 3. and 3.1 FIPS providers, applications using these features should not be affected.

To mitigate the security risk, affected users should upgrade to a newer OpenSSL version with a fix for the issue as soon as it becomes available. In the meantime, developers can apply a manual workaround by avoiding calling the affected API and modifying the key or IV lengths with the parameters passed in the OSSL_PARAM array.

Timeline

Published on: 10/25/2023 18:17:43 UTC
Last modified on: 11/09/2023 13:55:31 UTC