what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 6 of 6 RSS Feed

CVE-2023-2975

Status Candidate

Overview

Issue summary: The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence. Impact summary: Applications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data can be mislead by removing adding or reordering such empty entries as these are ignored by the OpenSSL implementation. We are currently unaware of any such applications. The AES-SIV algorithm allows for authentication of multiple associated data entries along with the encryption. To authenticate empty data the application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with NULL pointer as the output buffer and 0 as the input buffer length. The AES-SIV implementation in OpenSSL just returns success for such a call instead of performing the associated data authentication operation. The empty data thus will not be authenticated. As this issue does not affect non-empty associated data authentication and we expect it to be rare for an application to use empty associated data entries this is qualified as Low severity issue.

Related Files

Red Hat Security Advisory 2024-2447-03
Posted Apr 30, 2024
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2024-2447-03 - An update for openssl and openssl-fips-provider is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

tags | advisory, denial of service
systems | linux, redhat
advisories | CVE-2023-2975
SHA-256 | 462bc3d09215be0bbf81e8c4c531f8af9c1a08788384e4109de00f728a5419d4
Gentoo Linux Security Advisory 202402-08
Posted Feb 5, 2024
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 202402-8 - Multiple vulnerabilities have been found in OpenSSL, the worst of which could result in denial of service. Versions greater than or equal to 3.0.10 are affected.

tags | advisory, denial of service, vulnerability
systems | linux, gentoo
advisories | CVE-2022-3358, CVE-2022-4203, CVE-2022-4304, CVE-2022-4450, CVE-2023-0215, CVE-2023-0216, CVE-2023-0217, CVE-2023-0286, CVE-2023-0401, CVE-2023-0464, CVE-2023-0465, CVE-2023-0466, CVE-2023-2650, CVE-2023-2975
SHA-256 | 21ad378435b07083191f0c5fc69298cd031080be76d8665f35aae2aacebb11f1
Ubuntu Security Notice USN-6450-1
Posted Oct 24, 2023
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 6450-1 - Tony Battersby discovered that OpenSSL incorrectly handled key and initialization vector lengths. This could lead to truncation issues and result in loss of confidentiality for some symmetric cipher modes. Juerg Wullschleger discovered that OpenSSL incorrectly handled the AES-SIV cipher. This could lead to empty data entries being ignored, resulting in certain applications being misled. This issue only affected Ubuntu 22.04 LTS and Ubuntu 23.04.

tags | advisory
systems | linux, ubuntu
advisories | CVE-2023-2975, CVE-2023-3817, CVE-2023-5363
SHA-256 | 2d9459c9594f7dcc383dafcaff6092d57b63e811ab043a65d9d9516541186813
OpenSSL Toolkit 3.1.2
Posted Aug 1, 2023
Site openssl.org

OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide. The 3.1.x series is the current major version of OpenSSL.

Changes: Fixed excessive time spent checking DH q parameter value. Fixed DH_check() excessive time with over sized modulus. No longer ignoring empty associated data entries with AES-SIV. A change has been made to the enable-fips option.
tags | encryption, protocol
systems | unix
advisories | CVE-2023-2975, CVE-2023-3446, CVE-2023-3817
SHA-256 | a0ce69b8b97ea6a35b96875235aa453b966ba3cba8af2de23657d8b6767d6539
OpenSSL Toolkit 3.0.10
Posted Aug 1, 2023
Site openssl.org

OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide. The 3.x series is the current major version of OpenSSL.

Changes: Fixed excessive time spent checking DH q parameter value. Fixed DH_check() excessive time with over sized modulus. No longer ignoring empty associated data entries with AES-SIV.
tags | tool, encryption, protocol
systems | unix
advisories | CVE-2023-2975, CVE-2023-3446, CVE-2023-3817
SHA-256 | 1761d4f5b13a1028b9b6f3d4b8e17feb0cedc9370f6afe61d7193d2cdce83323
OpenSSL Security Advisory 20230714
Posted Jul 14, 2023
Site openssl.org

OpenSSL Security Advisory 20230714 - The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence.

tags | advisory
advisories | CVE-2023-2975
SHA-256 | 533eb47fbd60f88ad1ad3c18b56350b6804b9be10b8c81fe9a8f322433dad421
Page 1 of 1
Back1Next

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close