Severity: High In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. OpenSSL versions 1.1.1k and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1l. OpenSSL 1.0.2 is not impacted by this issue. OpenSSL 3.0 alpha/beta releases are also affected but this issue will be addressed before the final release. This issue was reported to OpenSSL on 12th August 2021 by John Ouyang. The fix was developed by Matt Caswell.
@cbuissar Hi Cedric, I'm not sure if this CVE is really applicable to RHEL, as we compile with 'no-sm2' as a config option, and therefore do not support it. Let me know what you think. Thank you.
Thanks Sahana, Yes, that seems to be correct, I can't find references to sm2 functions in the binaries. Let me have just one more look and I will close the BZs (all 5) as NOTABUG. However, as a side note: shouldn't we remove openssl's SM2 man page if we don't compile it in ? ( /usr/share/man/man7/SM2.7ssl.gz is part of the openssl package, and contains code example to use openssl's SM2 encryption)
Flaw description: SM2 is an signature and encryption algorithm (see `man sm2` for details) Given an SM2 encrypted message, openssl can calculate the expected length of the clear text version of that message. This is used by applications so that they can allocate the correct amount of memory to store the decrypted message. It was found that a specially crafted SM2 message could trick openssl into calculating an incorrect, shorter, length. This would result in applications using openssl's SM2 decryption functionality to allocate insufficient memory. When the actual decryption happens, up to 62 arbitrary bytes could be written beyond the allocated buffer, corrupting the application's memory. This is likely to crash the application. It might also be feasible, depending on the application, to gain control of the execution.
On openssl version 1.1.1, to manually verify is a given openssl package provides SM2 : $ openssl list -public-key-algorithms And look for 'sm2' in the output. This should be sufficient to defined whether it supports sm2 or not. Version 1.0.2 and older to not have support for the `list` command, but do not support SM2 either.
Upstream fix, for the 1.1.1 branch : https://github.com/openssl/openssl/commit/59f5e75f3bced8fc0e130d72a3f582cf7b480b46
Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1997212] Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1997210] Created openssl11 tracking bugs for this issue: Affects: epel-7 [bug 1997211]
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2021:4618 https://access.redhat.com/errata/RHSA-2021:4618
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3711