Bug 1995623 (CVE-2021-3711) - CVE-2021-3711 openssl: SM2 Decryption Buffer Overflow
Summary: CVE-2021-3711 openssl: SM2 Decryption Buffer Overflow
Alias: CVE-2021-3711
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1995626 1995627 1995628 1995629 1997210 1997211 1997212 1997222
Blocks: 1995569
TreeView+ depends on / blocked
Reported: 2021-08-19 14:08 UTC by Cedric Buissart
Modified: 2021-11-11 18:58 UTC (History)
35 users (show)

Fixed In Version: openssl 1.1.1l
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in openssl. A miscalculation of a buffer size was found in openssl's SM2 decryption function, allowing up to 62 arbitrary bytes to be written outside of the buffer. A remote attacker could use this flaw to crash an application supporting SM2 signature or encryption algorithm, or, possibly, execute arbitrary code with the permissions of the user running that application. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Last Closed: 2021-11-11 18:58:15 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4618 0 None None None 2021-11-11 18:32:27 UTC

Description Cedric Buissart 2021-08-19 14:08:25 UTC
Severity: High

In order to decrypt SM2 encrypted data an application is expected to call the
API function EVP_PKEY_decrypt(). Typically an application will call this
function twice. The first time, on entry, the "out" parameter can be NULL and,
on exit, the "outlen" parameter is populated with the buffer size required to
hold the decrypted plaintext. The application can then allocate a sufficiently
sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL
value for the "out" parameter.

A bug in the implementation of the SM2 decryption code means that the
calculation of the buffer size required to hold the plaintext returned by the
first call to EVP_PKEY_decrypt() can be smaller than the actual size required by
the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is
called by the application a second time with a buffer that is too small.

A malicious attacker who is able present SM2 content for decryption to an
application could cause attacker chosen data to overflow the buffer by up to a
maximum of 62 bytes altering the contents of other data held after the
buffer, possibly changing application behaviour or causing the application to
crash. The location of the buffer is application dependent but is typically
heap allocated.

OpenSSL versions 1.1.1k and below are affected by this issue. Users of these
versions should upgrade to OpenSSL 1.1.1l.

OpenSSL 1.0.2 is not impacted by this issue.

OpenSSL 3.0 alpha/beta releases are also affected but this issue will be
addressed before the final release.

This issue was reported to OpenSSL on 12th August 2021 by John Ouyang. The fix
was developed by Matt Caswell.

Comment 2 Sahana Prasad 2021-08-19 15:33:10 UTC
Hi Cedric,
I'm not sure if this CVE is really applicable to RHEL,
as we compile with 'no-sm2' as a config option, and therefore do
not support it. Let me know what you think.
Thank you.

Comment 3 Cedric Buissart 2021-08-19 16:57:04 UTC
Thanks Sahana,

Yes, that seems to be correct, I can't find references to sm2 functions in the binaries.

Let me have just one more look and I will close the BZs (all 5) as NOTABUG.

However, as a side note: shouldn't we remove openssl's SM2 man page if we don't compile it in ? ( /usr/share/man/man7/SM2.7ssl.gz is part of the openssl package, and contains code example to use openssl's SM2 encryption)

Comment 9 Cedric Buissart 2021-08-20 16:16:51 UTC
Flaw description:

SM2 is an signature and encryption algorithm (see `man sm2` for details)

Given an SM2 encrypted message, openssl can calculate the expected length of the clear text version of that message. This is used by applications so that they can allocate the correct amount of memory to store the decrypted message.

It was found that a specially crafted SM2 message could trick openssl into calculating an incorrect, shorter, length. This would result in applications using openssl's SM2 decryption functionality to allocate insufficient memory.

When the actual decryption happens, up to 62 arbitrary bytes could be written beyond the allocated buffer, corrupting the application's memory.

This is likely to crash the application. It might also be feasible, depending on the application, to gain control of the execution.

Comment 12 Cedric Buissart 2021-08-23 09:04:37 UTC
On openssl version 1.1.1, to manually verify is a given openssl package provides SM2 :

$ openssl list -public-key-algorithms

And look for 'sm2' in the output. This should be sufficient to defined whether it supports sm2 or not.

Version 1.0.2 and older to not have support for the `list` command, but do not support SM2 either.

Comment 13 Cedric Buissart 2021-08-24 13:53:25 UTC
Upstream fix, for the 1.1.1 branch :

Comment 14 Cedric Buissart 2021-08-24 16:04:56 UTC
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1997212]

Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1997210]

Created openssl11 tracking bugs for this issue:

Affects: epel-7 [bug 1997211]

Comment 16 errata-xmlrpc 2021-11-11 18:32:24 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2021:4618 https://access.redhat.com/errata/RHSA-2021:4618

Comment 17 Product Security DevOps Team 2021-11-11 18:58:12 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.