CVE-2023-6129

POLY1305 MAC implementation corrupts vector registers on PowerPC

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Issue summary: The POLY1305 MAC (message authentication code) implementation
contains a bug that might corrupt the internal state of applications running
on PowerPC CPU based platforms if the CPU provides vector instructions.

Impact summary: If an attacker can influence whether the POLY1305 MAC
algorithm is used, the application state might be corrupted with various
application dependent consequences.

The POLY1305 MAC (message authentication code) implementation in OpenSSL for
PowerPC CPUs restores the contents of vector registers in a different order
than they are saved. Thus the contents of some of these vector registers
are corrupted when returning to the caller. The vulnerable code is used only
on newer PowerPC processors supporting the PowerISA 2.07 instructions.

The consequences of this kind of internal application state corruption can
be various - from no consequences, if the calling application does not
depend on the contents of non-volatile XMM registers at all, to the worst
consequences, where the attacker could get complete control of the application
process. However unless the compiler uses the vector registers for storing
pointers, the most likely consequence, if any, would be an incorrect result
of some application dependent calculations or a crash leading to a denial of
service.

The POLY1305 MAC algorithm is most frequently used as part of the
CHACHA20-POLY1305 AEAD (authenticated encryption with associated data)
algorithm. The most common usage of this AEAD cipher is with TLS protocol
versions 1.2 and 1.3. If this cipher is enabled on the server a malicious
client can influence whether this AEAD cipher is used. This implies that
TLS server applications using OpenSSL can be potentially impacted. However
we are currently not aware of any concrete application that would be affected
by this issue therefore we consider this a Low severity security issue.

Resumen del problema: la implementación POLY1305 MAC (código de autenticación de mensajes) contiene un error que podría dañar el estado interno de las aplicaciones que se ejecutan en plataformas basadas en CPU PowerPC si la CPU proporciona instrucciones vectoriales. Resumen del impacto: si un atacante puede influir en el uso del algoritmo MAC POLY1305, el estado de la aplicación podría corromperse con varias consecuencias dependientes de la aplicación. La implementación POLY1305 MAC (código de autenticación de mensajes) en OpenSSL para CPU PowerPC restaura el contenido de los registros vectoriales en un orden diferente al que se guardan. Por lo tanto, el contenido de algunos de estos registros vectoriales se corrompe cuando regresa al llamante. El código vulnerable se utiliza sólo en procesadores PowerPC más nuevos que admiten las instrucciones PowerISA 2.07. Las consecuencias de este tipo de corrupción del estado de la aplicación interna pueden ser diversas: desde ninguna consecuencia, si la aplicación que llama no depende en absoluto del contenido de los registros XMM no volátiles, hasta las peores consecuencias, donde el atacante podría obtener el control total de el proceso de solicitud. Sin embargo, a menos que el compilador utilice registros vectoriales para almacenar punteros, la consecuencia más probable, si la hubiera, sería un resultado incorrecto de algunos cálculos dependientes de la aplicación o una falla que provocaría una denegación de servicio. El algoritmo POLY1305 MAC se utiliza con mayor frecuencia como parte del algoritmo CHACHA20-POLY1305 AEAD (cifrado autenticado con datos asociados). El uso más común de este cifrado AEAD es con las versiones 1.2 y 1.3 del protocolo TLS. Si este cifrado está habilitado en el servidor, un cliente malicioso puede influir en si se utiliza este cifrado AEAD. Esto implica que las aplicaciones del servidor TLS que utilizan OpenSSL pueden verse potencialmente afectadas. Sin embargo, actualmente no conocemos ninguna aplicación concreta que pueda verse afectada por este problema, por lo que lo consideramos un problema de seguridad de gravedad baja.

A flaw was found in in the POLY1305 MAC (message authentication code) implementation in OpenSSL, affecting applications running on PowerPC CPU-based platforms that utilize vector instructions, and has the potential to corrupt the internal state of these applications. If an attacker can manipulate the utilization of the POLY1305 MAC algorithm, it may lead to the corruption of the application state, resulting in various application-dependent consequences, often resulting in a crash and leading to a denial of service.

*Credits: Sverker Eriksson, Rohan McLure

CVSS Scores

NISTv3.1 6.5

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-11-14 CVE Reserved
2024-01-09 CVE Published
2024-07-16 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-328: Use of Weak Hash
CWE-787: Out-of-bounds Write

CAPEC

References (11)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/03/11/1
https://security.netapp.com/advisory/ntap-20240216-0009
https://security.netapp.com/advisory/ntap-20240426-0008
https://security.netapp.com/advisory/ntap-20240426-0013
https://security.netapp.com/advisory/ntap-20240503-0011

URL	Date	SRC

URL	Date	SRC
https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35	2024-05-03
https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04	2024-05-03
https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015	2024-05-03

URL	Date	SRC
https://www.openssl.org/news/secadv/20240109.txt	2024-05-03
https://access.redhat.com/security/cve/CVE-2023-6129	2024-04-30
https://bugzilla.redhat.com/show_bug.cgi?id=2257571	2024-04-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				>= 3.0.0 <= 3.0.12 Search vendor "Openssl" for product "Openssl" and version " >= 3.0.0 <= 3.0.12"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				>= 3.1.0 <= 3.1.4 Search vendor "Openssl" for product "Openssl" and version " >= 3.1.0 <= 3.1.4"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				3.2.0 Search vendor "Openssl" for product "Openssl" and version "3.2.0"		-		Affected