Bug 2243839 (CVE-2023-5363)

Summary: CVE-2023-5363 openssl: Incorrect cipher key and IV length processing
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, agarcial, aoconnor, asegurap, bdettelb, caswilli, csutherl, dfreiber, dhalasz, dkuc, fjansen, hkataria, jburrell, jclere, jmitchel, jsamir, jtanner, kaycoth, kshier, luizcosta, mmadzin, mturk, nweather, orabin, peholase, pjindal, plodge, psegedy, rogbas, rtillery, security-response-team, stcannon, sthirugn, szappis, tfister, vkrizan, vkumar, vmugicag, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: OpenSSL 3.0.12, OpenSSL 3.1.4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenSSL in how it processes key and initialization vector (IV) lengths. This issue can lead to potential truncation or overruns during the initialization of some symmetric ciphers. A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. Both truncations and overruns of the key and the IV will produce incorrect results and could, in some cases, trigger a memory exception.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2249063, 2249064, 2249065    
Bug Blocks: 2243841    

Description Sandipan Roy 2023-10-13 12:44:00 UTC 
Issue summary: A bug has been identified in the processing of key and
initialisation vector (IV) lengths. This can lead to potential truncation
or overruns during the initialisation of some symmetric ciphers.

Impact summary: A truncation in the IV can result in non-uniqueness,
which could result in loss of confidentiality for some cipher modes.

When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or
EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after
the key and IV have been established. Any alterations to the key length,
via the "keylen" parameter or the IV length, via the "ivlen" parameter,
within the OSSL_PARAM array will not take effect as intended, potentially
causing truncation or overreading of these values. The following ciphers
and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.

For the CCM, GCM and OCB cipher modes, truncation of the IV can result in
loss of confidentiality. For example, when following NIST's SP 800-38D
section 8.2.1 guidance for constructing a deterministic IV for AES in
GCM mode, truncation of the counter portion could lead to IV reuse.

Both truncations and overruns of the key and overruns of the IV will
produce incorrect results and could, in some cases, trigger a memory
exception. However, these issues are not currently assessed as security
critical.

Changing the key and IV lengths is not considered to be a common operation
which implies the Moderate severity of this security issue.
Comment 3 Tomas Hoger 2023-10-25 11:28:42 UTC 
Public now via upstream advisory:
https://www.openssl.org/news/secadv/20231024.txt
Comment 5 Sandipan Roy 2023-11-10 13:59:31 UTC 
Created openssl tracking bugs for this issue:

Affects: fedora-37 [bug 2249064]
Affects: fedora-38 [bug 2249065]


Created openssl3 tracking bugs for this issue:

Affects: epel-8 [bug 2249063]
Comment 7 errata-xmlrpc 2024-01-22 01:14:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:0310 https://access.redhat.com/errata/RHSA-2024:0310
Comment 8 errata-xmlrpc 2024-01-25 16:43:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:0500 https://access.redhat.com/errata/RHSA-2024:0500