- Fix Use After Free for large message sizes
The patch applied to address CVE-2016-6307 resulted in an issue where if a message larger than approx 16k is received then the underlying buffer to store the incoming message is reallocated and moved. Unfortunately a dangling pointer to the old location is left which results in an attempt to write to the previously freed location. This is likely to result in a crash, however it could potentially lead to execution of arbitrary code.
This issue only affects OpenSSL 1.1.0a.
This issue was reported to OpenSSL by Robert Święcki. [CVE-2016-6309]
- For built-in EC curves, ensure an EC_GROUP built from the curve name is
used even when parsing explicit parameters, when loading a serialized key
EC_GROUP_new_from_ecparameters(). This prevents bypass of security hardening and performance gains, especially for curves with specialized EC_METHODs. By default, if a key encoded with explicit parameters is loaded and later serialized, the output is still encoded with explicit parameters, even if internally a "named" EC_GROUP is used for computation.
- Compute ECC cofactors if not provided during EC_GROUP construction. Before this change, EC_GROUP_set_generator would accept order and/or cofactor as NULL. After this change, only the cofactor parameter can be NULL. It also does some minimal sanity checks on the passed order. [CVE-2019-1547]
Billy Bob Brumley
- Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. An attack is simple, if the first CMS_recipientInfo is valid but the second CMS_recipientInfo is chosen ciphertext. If the second recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct encryption key will be replaced by garbage, and the message cannot be decoded, but if the RSA decryption fails, the correct encryption key is used and the recipient will not notice the attack. As a work around for this potential attack the length of the decrypted key must be equal to the cipher default key length, in case the certifiate is not given and all recipientInfo are tried out. The old behaviour can be re-enabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag. [CVE-2019-1563]
- Document issue with installation paths in diverse Windows builds
'/usr/local/ssl' is an unsafe prefix for location to install OpenSSL binaries and run-time config file. [CVE-2019-1552]
- For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters, when loading a serialized key or calling
- Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
This changes the size when using the
genpkeycommand when no size is given. It fixes an omission in earlier changes that changed all RSA, DSA and DH generation commands to use 2048 bits by default.
- Add FIPS support for Android Arm 64-bit
Support for Android Arm 64-bit was added to the OpenSSL FIPS Object Module in Version 2.0.10. For some reason, the corresponding target 'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be built with FIPS support on Android Arm 64-bit. This omission has been fixed.
Matthias St. Pierre
- Change the default RSA, DSA and DH size to 2048 bit instead of 1024. This changes the size when using the
- 0-byte record padding oracle
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data.
In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway).
This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod Aviram, with additional investigation by Steven Collison and Andrew Hourselt. It was reported to OpenSSL on 10th December 2018. [CVE-2019-1559]
- Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
- Microarchitecture timing vulnerability in ECC scalar multiplication
OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been shown to be vulnerable to a microarchitecture timing side channel attack. An attacker with sufficient access to mount local timing attacks during ECDSA signature generation could recover the private key.
This issue was reported to OpenSSL on 26th October 2018 by Alejandro Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and Nicola Tuveri. [CVE-2018-5407]
- Timing vulnerability in DSA signature generation
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key.
This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. [CVE-2018-0734]
- Resolve a compatibility issue in EC_GROUP handling with the FIPS Object Module, accidentally introduced while backporting security fixes from the development branch and hindering the use of ECC in FIPS mode.
- Client DoS due to large DH parameter
During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack.
This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken [CVE-2018-0732]
- Cache timing vulnerability in RSA Key Generation
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key.
This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia. [CVE-2018-0737]
- Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str parameter is no longer accepted, as it leads to a corrupt table. NULL pem_str is reserved for alias entries only.
- Revert blinding in ECDSA sign and instead make problematic addition length-invariant. Switch even to fixed-length Montgomery multiplication.
- Change generating and checking of primes so that the error rate of not being prime depends on the intended use based on the size of the input. For larger primes this will result in more rounds of Miller-Rabin. The maximal error rate for primes with more than 1080 bits is lowered to 2-128.
Kurt Roeckx, Annie Yousar
- Increase the number of Miller-Rabin rounds for DSA key generating to 64.
- Add blinding to ECDSA and DSA signatures to protect against side channel attacks discovered by Keegan Ryan (NCC Group).
- When unlocking a pass phrase protected PEM file or PKCS#8 container, we now allow empty (zero character) pass phrases.
- Certificate time validation (X509_cmp_time) enforces stricter compliance with RFC 5280. Fractional seconds and timezone offsets are no longer allowed.
- Constructed ASN.1 types with a recursive definition could exceed the stack
Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe.
This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz project. [CVE-2018-0739]
- Read/write after SSL object in error state
OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer.
In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error.
This issue was reported to OpenSSL by David Benjamin (Google). [CVE-2017-3737]
- rsaz_1024_mul_avx2 overflow bug on x86_64
There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701.
This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation).
This issue was reported to OpenSSL by David Benjamin (Google). The issue was originally found via the OSS-Fuzz project. [CVE-2017-3738]
- bn_sqrx8x_internal carry bug on x86_64
There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients.
This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.
This issue was reported to OpenSSL by the OSS-Fuzz project. [CVE-2017-3736]
- Malformed X.509 IPAddressFamily could cause OOB read
If an X.509 certificate has a malformed IPAddressFamily extension, OpenSSL could do a one-byte buffer overread. The most likely result would be an erroneous display of the certificate in text format.
This issue was reported to OpenSSL by the OSS-Fuzz project. [CVE-2017-3735]
- Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target platform rather than 'mingw'.