Bug 2215607

Summary: openssl: BIGNUM reciprocal lacks proper check for 0 divisor in BN_RECP_CTX_set
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, adudiak, aveerama, bleanhar, bodavis, chazlett, cllang, cwelton, davidn, dbelyavs, dfreiber, eaguilar, ebaron, ellin, epacific, gparvin, jburrell, jcammara, jhardy, jkang, jneedle, jobarker, jpallich, kshier, mabashia, mnewsome, nboldt, njean, osapryki, owatkins, pahickey, pjindal, rgarg, rogbas, scorneli, sfroberg, shbose, simaishi, smcdonal, stcannon, teagle, tfister, ubhargav, vkumar, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-04 13:22:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2215608, 2215612, 2215613, 2215611, 2215614, 2215615, 2215616, 2215617, 2215618, 2215619, 2215620, 2215621    
Bug Blocks: 2215610    

Description Guilherme de Almeida Suckevicz 2023-06-16 18:40:20 UTC 
Technical details and steps to reproduce can be found on the referenced GitHub pages below.

BIGNUM reciprocal lacks proper check for 0 divisor in
BN_RECP_CTX_set


 [Additional Information]
 This is a similar vulnerability to the root cause of CVE-2015-1794.

 ------------------------------------------

 [VulnerabilityType Other]
 CWE-20 Improper input validation

 ------------------------------------------

 [Vendor of Product]
 OpenSSL

 ------------------------------------------

 [Affected Product Code Base]
All versions to date

 ------------------------------------------

 [Affected Component]
 BIGNUM reciprocal implementation (exported function), crypto/bn/bn_recp.c:BN_RECP_CTX_set

 ------------------------------------------

 [Attack Type]
 Remote

 ------------------------------------------

 [Impact Denial of Service]
 true

 ------------------------------------------

 [Attack Vectors]
 The root cause of this vulnerability is that the initial setting up function BN_RECP_CTX_set​ did not verify the divisor against 0 and returns success. Without a return value indicating illegal divisor, the developer may dismiss the divide-by-zero error and falsely set up some relavant logic.
 Unlike CVE-2015-1794<https://github.com/advisories/GHSA-x29w-fcg6-7f9m>, BIGNUM reciprocal is only used in BN_mod_exp_recp where the divisor is checked after invoking BN_RECP_CTX_set. Thus the defect does not make a critical vulnerability in OpenSSL itself. However reciprocal-related functions are exported, and with a simple code search I found a few projects using them directly, like rnpgp<https://github.com/rnpgp/rnp/blob/ed195f81b71a40eac2b0a61b0778b1cf717d6191/src/lib/crypto/elgamal_ossl.cpp#L83>. So it is a good idea to regard it as a vulnerability so downstream developers may get a chance to check if their usage is impacted.

 ------------------------------------------

 [Reference]
Technical report and PoC:
https://github.com/openssl/openssl/issues/21111
[https://opengraph.githubassets.com/fab142bb94193345a564dac931a1be0735b574a65feca97f2bc032ee8ecafe8b/openssl/openssl/issues/21111]<https://github.com/openssl/openssl/issues/21111>
BIGNUM reciprocal lacks proper check for 0 divisor in `BN_RECP_CTX_set` · Issue #21111 · openssl/openssl<https://github.com/openssl/openssl/issues/21111>
Recently while reviewing historical vulnerabilities and their recurring bugs, I noticed CVE-2015-1794 in OpenSSL, which leads to DoS due to a zero p value. The deeper cause is lack of check for 0 d...
github.com



 ------------------------------------------

 [Has vendor confirmed or acknowledged the vulnerability?]
 true


 ------------------------------------------

 [Discoverer]
 fullwaywang from Tencent
Comment 1 Guilherme de Almeida Suckevicz 2023-06-16 18:40:50 UTC 
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 2215608]