Incorrect cipher key & IV length processing
CVE-2023-5363

7.5HIGH

Key Information:

Vendor
OpenSSL
Status
OpenSSL
Vendor
CVE Published:
25 October 2023

Summary

A vulnerability has been identified within OpenSSL affecting the handling of key and initialization vector (IV) lengths. This issue can lead to truncation or overrun during the initialization of various symmetric cipher modes, including RC2, RC4, RC5, CCM, GCM, and OCB. The flaw occurs when altering parameters within the OSSL_PARAM array, as changes to the key or IV lengths may go unprocessed after their establishment. In particular, a truncated IV in modes like GCM could result in IV reuse, potentially compromising confidentiality. Although the likelihood of exploitation is low due to the nature of key and IV alterations, any applications that inadvertently fall victim to this issue could face serious security implications.

Affected Version(s)

OpenSSL 3.0.0 < 3.0.12

OpenSSL 3.1.0 < 3.1.4

References

https://www.openssl.org/news/secadv/20231024.txt
vendor-advisory
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdif...
patch
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdif...
patch

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Tony Battersby (Cybernetics)
Dr Paul Dale
.