Bug 1381526 (CVE-2016-7798) - CVE-2016-7798 ruby: IV Reuse in GCM Mode
Summary: CVE-2016-7798 ruby: IV Reuse in GCM Mode
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2016-7798
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1381527
Blocks: 1381528
TreeView+ depends on / blocked
 
Reported: 2016-10-04 11:25 UTC by Andrej Nemec
Modified: 2021-02-17 03:14 UTC (History)
21 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 02:59:22 UTC
Embargoed:

Attachments (Terms of Use)

Description Andrej Nemec 2016-10-04 11:25:32 UTC 
An IV reuse bug was discovered in Ruby's OpenSSL library when using
aes-gcm. When encrypting data with aes-*-gcm, if the IV is set before
setting the key, the cipher will default to using a static IV. This creates
a static nonce and since aes-gcm is a stream cipher, this can lead to known
cryptographic issues.

References:

http://seclists.org/oss-sec/2016/q3/562

Upstream bug:

https://github.com/ruby/openssl/issues/49

Upstream patch:

https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062
Comment 1 Andrej Nemec 2016-10-04 11:26:13 UTC 
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1381527]
Comment 2 Huzaifa S. Sidhpurwala 2016-11-28 07:44:17 UTC 
Analysis:

As explained in https://github.com/ruby/openssl/issues/49#issuecomment-248171371
Calling cipher.key after calling cipher.iv zeros out the value of the iv, resulting in a possibly weak cryptographic operation. 


Mitigation:

A possible workaround to this flaw is, when using aes-256-gcm mode, always set the key first and then the iv. For example when setting random keys and iv use the following code segment:

key = cipher.random_key
iv = cipher.random_iv
Note You need to log in before you can comment on or make changes to this bug.