Swift Crypto X-Wing HPKE Decapsulation Vulnerability

A vulnerability exists in the X-Wing decapsulation path within the swift-crypto library (versions 4.0.0 to 4.3.0). The vulnerability stems from the lack of proper validation of the encapsulated ciphertext length during the decapsulation process. Specifically, the decapsulate function of OpenSSLXWingPrivateKeyImpl does not perform a length check before passing the encapsulated data to the underlying C API, which expects a fixed-size buffer of 1120 bytes. This allows an attacker to supply a shorter ciphertext, leading to an out-of-bounds read when the C code attempts to access memory beyond the provided buffer. This issue can be triggered by initializing an HPKE.Recipient with a malformed encapsulatedKey. Exploitation of this vulnerability could potentially lead to a crash or memory disclosure.

Attack Chain

1. An attacker crafts a malformed HPKE encapsulated key with a length less than 1120 bytes.
2. The attacker initiates a connection to a service utilizing the swift-crypto library with X-Wing HPKE.
3. The service attempts to initialize an HPKE.Recipient with the attacker-controlled, malformed encapsulatedKey.
4. The HPKE.Recipient initialization calls the decapsulate function of OpenSSLXWingPrivateKeyImpl.
5. The decapsulate function passes the undersized encapsulatedKey to the CCryptoBoringSSL_XWING_decap C API without proper length validation.
6. The C API attempts to read 1120 bytes from the undersized buffer, resulting in an out-of-bounds read.
7. The out-of-bounds read can cause a crash or potentially leak sensitive memory contents.
8. The attacker may leverage the crash to cause a denial of service or use memory disclosure for further exploitation.

Impact

Successful exploitation of this vulnerability allows a remote attacker to cause an out-of-bounds read in the swift-crypto library. This could lead to denial-of-service conditions due to application crashes, or potentially enable sensitive information disclosure, depending on the specific memory layout and runtime protections in place. The affected package is swift/swift-crypto (vulnerable versions: >= 4.0.0, <= 4.3.0).

Recommendation

• Upgrade the swift-crypto library to a patched version (greater than 4.3.0) to remediate the vulnerability and prevent out-of-bounds reads.
• Implement input validation on the length of HPKE encapsulated keys before passing them to the HPKE.Recipient initializer to prevent the vulnerable code path from being reached.
• Enable AddressSanitizer (ASan) during development and testing to detect memory safety issues like this one early.
• Deploy the Sigma rule Detect HPKE Recipient Init with Short Encapsulated Key to identify attempts to exploit this vulnerability via short encapsulated key values.