Detection Guidance

This vulnerability arises from improper handling of RSA KEM RSASVE encapsulation failures in certain OpenSSL versions. Detection involves identifying if your system is running an affected OpenSSL version (3.0, 3.3, 3.4, 3.5, or 3.6 including their FIPS modules) and whether applications use RSASVE key encapsulation without validating RSA public keys before encapsulation.

To detect the vulnerability on your system, first check the OpenSSL version installed:

• openssl version

If the version is one of the affected releases, you should verify whether applications use EVP_PKEY_encapsulate() with RSA/RSASVE and whether they perform RSA public key validation using EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before encapsulation.

Since the vulnerability involves leaking uninitialized memory when RSA_public_encrypt() fails, network detection might be challenging without specific application-level logging or instrumentation. However, you can monitor for unexpected or malformed RSA public keys being processed or unusual encapsulation failures in application logs.

There are no specific built-in OpenSSL commands to directly detect this vulnerability at runtime, but you can audit your application code for correct usage of EVP_PKEY_public_check() before encapsulation and ensure your OpenSSL library is updated to a patched version (3.0.20, 3.3.7, 3.4.5, 3.5.6, or 3.6.2).

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to leakage of sensitive data. Because the uninitialized buffer may contain sensitive information from previous executions of the application process, an attacker can potentially obtain this data by exploiting the vulnerability.

The attacker can supply an invalid RSA public key and cause the application to send uninitialized or stale memory contents instead of a valid encrypted key, thereby exposing potentially sensitive information.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, applications should call EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before calling EVP_PKEY_encapsulate() when using RSA/RSASVE keys.

Useful 0 Not Useful 0

Executive Summary

This vulnerability occurs in applications using RSASVE key encapsulation to establish a secret encryption key. The issue is that these applications can send contents of an uninitialized memory buffer to a malicious peer.

Specifically, the RSA_public_encrypt() function returns the number of bytes written on success and -1 on error, but the affected code only checks if the return value is non-zero. This means that if RSA encryption fails, the function may still indicate success, set output lengths, and leave the caller to use whatever is in the ciphertext buffer, which may be uninitialized or stale data.

If an attacker supplies an invalid RSA public key and the application does not validate it before calling EVP_PKEY_encapsulate(), the attacker can receive uninitialized or stale contents from the ciphertext buffer instead of a valid key encapsulation message.

A workaround is to call EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() to validate the RSA public key and mitigate the issue.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability can lead to the leakage of sensitive data from uninitialized memory buffers to an attacker. Such leakage of sensitive information could potentially impact compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive data from unauthorized disclosure.

However, the provided information does not explicitly discuss compliance implications or how this vulnerability directly affects adherence to these standards.

Useful 0 Not Useful 0