CVE-2024-9143: Out-of-Bounds Memory Access Vulnerability in Low-Level GF(2^m) Elliptic Curve APIs

The low-level GF(2^m) elliptic curve APIs, when used with untrusted explicit values for the field polynomial, can result in out-of-bounds memory reads or writes. This could potentially lead to an application crash or even a remote code execution. However, the likelihood of encountering a vulnerable application is low due to the usage of either "named curves" or X9.62 encoding in most Elliptic Curve Cryptography protocols.

Affected APIs

The affected APIs include EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(), and various supporting BN_GF2m_*() functions.

Exploit details

An attacker could potentially exploit this vulnerability by providing an "exotic" curve encoding that includes invalid field polynomials with a zero constant term. This could cause an application to terminate abruptly due to reading or writing outside of array bounds. Remote code execution cannot be easily ruled out in this scenario.

Here's an example of how an attacker might use the affected APIs

#include <openssl/ec.h>
...
int field_bits = 163;
BIGNUM *group_order = ...;
BIGNUM *cofactor = ...;
BIGNUM *zero_poly = BN_GF2m_arr2poly({1, }, NULL); // Zero constant term, problematic input
EC_GROUP *group = EC_GROUP_new_curve_GF2m(ctx, field_bits, zero_poly, group_order, cofactor, NULL);
// Resulting group object may cause out-of-bounds memory access
...

Links to original references

1. OpenSSL issue #16400
2. CVE Details: CVE-2024-9143

Impact summary

Out-of-bound memory writes may result in application crashes or even remote code execution. However, based on the existing protocols involving Elliptic Curve Cryptography, the likelihood of encountering a vulnerable application is relatively low. Specifically, X9.62 encoding is used for ECC keys in X.509 certificates, which prevents problematic inputs from occurring in the context of processing X.509 certificates.

Mitigation

In order to mitigate this vulnerability, it is advised to ensure that only "named curves" or X9.62 encoding of binary (GF(2^m)) curves are supported when working with elliptic curve parameters. Furthermore, it is recommended to use caution when dealing with "exotic" curve encodings that could potentially allow representation of invalid field polynomials with zero constant terms.

Note

The FIPS modules in 3.3, 3.2, 3.1, and 3. are not affected by this issue, which reduces the overall risk of this vulnerability.

In conclusion, although CVE-2024-9143 presents a possible risk, its actual impact is relatively low due to the uncommon nature of vulnerable applications. By adhering to recommended best practices and utilizing the FIPS modules, developers can ensure that their applications remain secure even in the unlikely event of an attack exploiting this vulnerability.

Timeline

Published on: 10/16/2024 17:15:18 UTC
Last modified on: 11/08/2024 16:35:21 UTC