Bug 2223016 (CVE-2023-2975) - CVE-2023-2975 openssl: AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries
Summary: CVE-2023-2975 openssl: AES-SIV cipher implementation contains a bug that caus...
Keywords:
Status: NEW
Alias: CVE-2023-2975
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2223821 2223825 2223017 2223018 2223019 2223020 2223021 2223022 2223023 2223024 2223025 2223026 2223820 2223822 2223823 2223824 2223826 2223827
Blocks: 2223014
TreeView+ depends on / blocked
 
Reported: 2023-07-14 21:01 UTC by Zack Miele
Modified: 2024-02-19 09:53 UTC (History)
50 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in OpenSSL. The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries, which are unauthenticated as a consequence. Applications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data can be misled by removing, adding, or reordering such empty entries as these are ignored by the OpenSSL implementation. The AES-SIV algorithm allows for the authentication of multiple associated data entries and encryption. To authenticate empty data, the application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with a NULL pointer as the output buffer and 0 as the input buffer length. The AES-SIV implementation in OpenSSL returns success for such a call instead of performing the associated data authentication operation. Thus, the empty data will not be authenticated.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Zack Miele 2023-07-14 21:01:37 UTC
Issue summary: The AES-SIV cipher implementation contains a bug that causes
it to ignore empty associated data entries which are unauthenticated as
a consequence.

Impact summary: Applications that use the AES-SIV algorithm and want to
authenticate empty data entries as associated data can be mislead by removing
adding or reordering such empty entries as these are ignored by the OpenSSL
implementation. We are currently unaware of any such applications.

The AES-SIV algorithm allows for authentication of multiple associated
data entries along with the encryption. To authenticate empty data the
application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with
NULL pointer as the output buffer and 0 as the input buffer length.
The AES-SIV implementation in OpenSSL just returns success for such a call
instead of performing the associated data authentication operation.
The empty data thus will not be authenticated.

As this issue does not affect non-empty associated data authentication and
we expect it to be rare for an application to use empty associated data
entries this is qualified as Low severity issue.

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc
https://www.openssl.org/news/secadv/20230714.txt
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=00e2f5eea29994d19293ec4e8c8775ba73678598

This has not been included in a specific release but has been added to the master, 3.1, and 3.0 branches
https://github.com/openssl/openssl/pull/21384

Comment 2 Sandipan Roy 2023-07-19 04:35:45 UTC
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-37 [bug 2223822]
Affects: fedora-38 [bug 2223825]


Created openssl tracking bugs for this issue:

Affects: fedora-37 [bug 2223823]
Affects: fedora-38 [bug 2223826]


Created openssl1.1 tracking bugs for this issue:

Affects: fedora-37 [bug 2223824]
Affects: fedora-38 [bug 2223827]


Created openssl11 tracking bugs for this issue:

Affects: epel-7 [bug 2223820]


Created openssl3 tracking bugs for this issue:

Affects: epel-8 [bug 2223821]


Note You need to log in before you can comment on or make changes to this bug.