Bug 2215607 - openssl: BIGNUM reciprocal lacks proper check for 0 divisor in BN_RECP_CTX_set
Summary: openssl: BIGNUM reciprocal lacks proper check for 0 divisor in BN_RECP_CTX_set
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2215608 2215612 2215613 2215611 2215614 2215615 2215616 2215617 2215618 2215619 2215620 2215621
Blocks: 2215610
TreeView+ depends on / blocked
 
Reported: 2023-06-16 18:40 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-07-05 12:47 UTC (History)
46 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-07-04 13:22:03 UTC
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2023-06-16 18:40:20 UTC 
Technical details and steps to reproduce can be found on the referenced GitHub pages below.

BIGNUM reciprocal lacks proper check for 0 divisor in
BN_RECP_CTX_set


 [Additional Information]
 This is a similar vulnerability to the root cause of CVE-2015-1794.

 ------------------------------------------

 [VulnerabilityType Other]
 CWE-20 Improper input validation

 ------------------------------------------

 [Vendor of Product]
 OpenSSL

 ------------------------------------------

 [Affected Product Code Base]
All versions to date

 ------------------------------------------

 [Affected Component]
 BIGNUM reciprocal implementation (exported function), crypto/bn/bn_recp.c:BN_RECP_CTX_set

 ------------------------------------------

 [Attack Type]
 Remote

 ------------------------------------------

 [Impact Denial of Service]
 true

 ------------------------------------------

 [Attack Vectors]
 The root cause of this vulnerability is that the initial setting up function BN_RECP_CTX_set​ did not verify the divisor against 0 and returns success. Without a return value indicating illegal divisor, the developer may dismiss the divide-by-zero error and falsely set up some relavant logic.
 Unlike CVE-2015-1794<https://github.com/advisories/GHSA-x29w-fcg6-7f9m>, BIGNUM reciprocal is only used in BN_mod_exp_recp where the divisor is checked after invoking BN_RECP_CTX_set. Thus the defect does not make a critical vulnerability in OpenSSL itself. However reciprocal-related functions are exported, and with a simple code search I found a few projects using them directly, like rnpgp<https://github.com/rnpgp/rnp/blob/ed195f81b71a40eac2b0a61b0778b1cf717d6191/src/lib/crypto/elgamal_ossl.cpp#L83>. So it is a good idea to regard it as a vulnerability so downstream developers may get a chance to check if their usage is impacted.

 ------------------------------------------

 [Reference]
Technical report and PoC:
https://github.com/openssl/openssl/issues/21111
[https://opengraph.githubassets.com/fab142bb94193345a564dac931a1be0735b574a65feca97f2bc032ee8ecafe8b/openssl/openssl/issues/21111]<https://github.com/openssl/openssl/issues/21111>
BIGNUM reciprocal lacks proper check for 0 divisor in `BN_RECP_CTX_set` · Issue #21111 · openssl/openssl<https://github.com/openssl/openssl/issues/21111>
Recently while reviewing historical vulnerabilities and their recurring bugs, I noticed CVE-2015-1794 in OpenSSL, which leads to DoS due to a zero p value. The deeper cause is lack of check for 0 d...
github.com



 ------------------------------------------

 [Has vendor confirmed or acknowledged the vulnerability?]
 true


 ------------------------------------------

 [Discoverer]
 fullwaywang from Tencent
Comment 1 Guilherme de Almeida Suckevicz 2023-06-16 18:40:50 UTC 
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 2215608]
Note You need to log in before you can comment on or make changes to this bug.