Bug 2258502 (CVE-2023-6237)

Summary: CVE-2023-6237 openssl: Excessive time spent checking invalid RSA public keys
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: adudiak, bdettelb, caswilli, csutherl, dfreiber, dkuc, drow, fjansen, hkataria, jburrell, jclere, jmitchel, jsamir, jsherril, jtanner, kaycoth, kshier, luizcosta, mmadzin, nweather, orabin, pjindal, plodge, stcannon, sthirugn, szappis, tsasak, vkrizan, vkumar, vmugicag, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl 3.0.13, openssl 3.1.5, openssl 3.2.1 Doc Type: ---
Doc Text:
A flaw was found in OpenSSL. When the EVP_PKEY_public_check() function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2258505, 2258506, 2258507, 2258508    
Bug Blocks: 2258503    

Description Mauro Matteo Cascella 2024-01-15 18:04:44 UTC 
Applications that use the function EVP_PKEY_public_check() to check RSA public keys may experience long delays. Where the key that is being checked has been obtained from an untrusted source this may lead to a Denial of Service. An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack.

The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue. OpenSSL versions 3.0.0 to 3.0.12, 3.1.0 to 3.1.4 and 3.2.0 are vulnerable to this issue. OpenSSL versions 1.1.1 and 1.0.2 are not affected by this issue.

References:
https://www.openssl.org/news/secadv/20240115.txt
https://www.openwall.com/lists/oss-security/2024/01/15/2

Upstream fix:
https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a (3.0.13)
https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294 (3.1.5)
https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d (3.2.1)
Comment 1 Mauro Matteo Cascella 2024-01-15 18:21:01 UTC 
Created edk2 tracking bugs for this issue:

Affects: fedora-all [bug 2258506]


Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 2258507]


Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 2258508]


Created openssl3 tracking bugs for this issue:

Affects: epel-all [bug 2258505]
Comment 6 errata-xmlrpc 2024-04-30 10:52:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2447 https://access.redhat.com/errata/RHSA-2024:2447
Comment 8 errata-xmlrpc 2024-11-12 08:41:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9088 https://access.redhat.com/errata/RHSA-2024:9088