CVE-2023-6237

Excessive time spent checking invalid RSA public keys

Severity Score

5.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Issue summary: Checking excessively long invalid RSA public keys may take
a long time.

Impact summary: Applications that use the function EVP_PKEY_public_check()
to check RSA public keys may experience long delays. Where the key that
is being checked has been obtained from an untrusted source this may lead
to a Denial of Service.

When function EVP_PKEY_public_check() is called on RSA public keys,
a computation is done to confirm that the RSA modulus, n, is composite.
For valid RSA keys, n is a product of two or more large primes and this
computation completes quickly. However, if n is an overly large prime,
then this computation would take a long time.

An application that calls EVP_PKEY_public_check() and supplies an RSA key
obtained from an untrusted source could be vulnerable to a Denial of Service
attack.

The function EVP_PKEY_public_check() is not called from other OpenSSL
functions however it is called from the OpenSSL pkey command line
application. For that reason that application is also vulnerable if used
with the '-pubin' and '-check' options on untrusted data.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.

Resumen del problema: la comprobación de claves públicas RSA inválidas excesivamente largas puede llevar mucho tiempo. Resumen de impacto: las aplicaciones que utilizan la función EVP_PKEY_public_check() para comprobar las claves públicas RSA pueden experimentar grandes retrasos. Cuando la clave que se está verificando se obtuvo de una fuente que no es confiable, esto puede dar lugar a una denegación de servicio. Cuando se llama a la función EVP_PKEY_public_check() en claves públicas RSA, se realiza un cálculo para confirmar que el módulo RSA, n, es compuesto. Para claves RSA válidas, n es un producto de dos o más números primos grandes y este cálculo se completa rápidamente. Sin embargo, si n es un número primo demasiado grande, entonces este cálculo llevaría mucho tiempo. Una aplicación que llama a EVP_PKEY_public_check() y proporciona una clave RSA obtenida de una fuente que no es de confianza podría ser vulnerable a un ataque de denegación de servicio. La función EVP_PKEY_public_check() no se llama desde otras funciones de OpenSSL, sin embargo, se llama desde la aplicación de línea de comandos pkey de OpenSSL. Por esa razón, esa aplicación también es vulnerable si se usa con las opciones '-pubin' y '-check' en datos que no son de confianza. La implementación de OpenSSL SSL/TLS no se ve afectada por este problema. Los proveedores FIPS OpenSSL 3.0 y 3.1 se ven afectados por este problema.

A flaw was found in OpenSSL. When the EVP_PKEY_public_check() function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack.

*Credits: OSS-Fuzz, Tomas Mraz

CVSS Scores

Red Hatv3.1 5.9

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-11-21 CVE Reserved
2024-01-15 CVE Published
2024-06-11 EPSS Updated
2024-08-20 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption

CAPEC

References (8)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/03/11/1
https://security.netapp.com/advisory/ntap-20240531-0007

URL	Date	SRC

URL	Date	SRC
https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d	2024-06-10
https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a	2024-06-10
https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294	2024-06-10

URL	Date	SRC
https://www.openssl.org/news/secadv/20240115.txt	2024-06-10
https://access.redhat.com/security/cve/CVE-2023-6237	2024-04-30
https://bugzilla.redhat.com/show_bug.cgi?id=2258502	2024-04-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
OpenSSL Search vendor "OpenSSL"		OpenSSL Search vendor "OpenSSL" for product "OpenSSL"				>= 3.0.0 < 3.0.13 Search vendor "OpenSSL" for product "OpenSSL" and version " >= 3.0.0 < 3.0.13"		en		Affected
OpenSSL Search vendor "OpenSSL"		OpenSSL Search vendor "OpenSSL" for product "OpenSSL"				>= 3.1.0 < 3.1.5 Search vendor "OpenSSL" for product "OpenSSL" and version " >= 3.1.0 < 3.1.5"		en		Affected
OpenSSL Search vendor "OpenSSL"		OpenSSL Search vendor "OpenSSL" for product "OpenSSL"				>= 3.2.0 < 3.2.1 Search vendor "OpenSSL" for product "OpenSSL" and version " >= 3.2.0 < 3.2.1"		en		Affected