Vulnerability CVE-2023-5363 in OpenSSL

Sicherheit (Pexels, allgemeine Nutzung)[German]A vulnerability CVE-2023-5363 was found in the OpenSSL software. The initialization of the encryption key length and the initialization vector in OpenSLL is incorrect. However, a fix is already available for the Linux distributions Debian and Ubuntu.


Advertising

I became aware of the issue or the OpenSSL vulnerability CVE-2023-5363 via the following BlueSky post.

The flaw is described on cve.mitre.org under CVE-2023-5363. A flaw was found in OpenSSL when processing the lengths of the key and initialization vector (IV). This can lead to potential aborts or overflows during initialization of some symmetric ciphers. This results in a loss of confidentiality for some cipher modes.

  • The ciphers and encryption modes affected are RC2, RC4, RC5, CCM, GCM, and OCB.
  • For the CCM, GCM, and OCB encryption modes, cutting the IV can lead to a loss of confidentiality.

Both aborts and overflows of the key and overflows of the IV lead to incorrect results and could trigger a memory exception in some cases. However, these problems are not currently considered to be safety critical. Changing key and/or IV lengths is not considered a common operation, and the vulnerable API was introduced only recently.

In addition, it is likely that the application developers discovered this problem during testing, CVE-Mitre writes, since decryption would fail unless both peers were similarly vulnerable in communication. For these reasons, the CVE-Mitre folks believe that the likelihood of an application being vulnerable to this problem is quite low.


Advertising

However, if an application is vulnerable, this problem is considered very serious. For these reasons, this issue has been rated as moderately severe overall.

  • The OpenSSL SSL/TLS implementation is not affected by this issue.
  • The OpenSSL 3.0 and 3.1 FIPS providers are not affected because the problem is outside the FIPS provider boundary.
  • OpenSSL 3.1 and 3.0 are vulnerable to this issue, however.

More details may be found at cve page CVE-2023-5363, where references to Debian, OpenWall etc. are given.


Advertising

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).