{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/openssl/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openssl"],"_cs_severities":["high"],"_cs_tags":["openssl","aes","keywrap","oob-write","memory-corruption"],"_cs_type":"advisory","_cs_vendors":["OpenSSL"],"content_html":"\u003cp\u003eThe rust-openssl crate, specifically versions 0.10.24 through 0.10.77, contains a critical vulnerability in the \u003ccode\u003eaes::unwrap_key()\u003c/code\u003e function. This function is intended to perform AES key wrapping, a process used to securely encrypt cryptographic keys. The vulnerability arises from an inverted bounds check on the output buffer size, where the function incorrectly validates the size of the output buffer against the input buffer size. This flaw allows an attacker to potentially write beyond the allocated memory region, leading to a crash or, in more sophisticated scenarios, arbitrary code execution. Exploitation requires that the vulnerable application utilizes AES keywrap and allows the attacker to control the buffer sizes passed to \u003ccode\u003eaes::unwrap_key()\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an application using the vulnerable rust-openssl crate (versions 0.10.24 - 0.10.77) and the \u003ccode\u003eaes::unwrap_key()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious input with specific sizes for the input and output buffers to trigger the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker provides a crafted input buffer (\u003ccode\u003ein_\u003c/code\u003e) and a smaller-than-required output buffer (\u003ccode\u003eout\u003c/code\u003e) to the vulnerable \u003ccode\u003eaes::unwrap_key()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe incorrect bounds assertion \u003ccode\u003eout.len() + 8 \u0026lt;= in_.len()\u003c/code\u003e passes, as the \u003ccode\u003eout\u003c/code\u003e buffer is intentionally smaller than \u003ccode\u003ein_.len() - 8\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eaes::unwrap_key()\u003c/code\u003e function proceeds with the AES key wrapping process.\u003c/li\u003e\n\u003cli\u003eDuring the key unwrapping process, the function attempts to write \u003ccode\u003ein_.len() - 8 - out.len()\u003c/code\u003e bytes beyond the allocated boundary of the \u003ccode\u003eout\u003c/code\u003e buffer.\u003c/li\u003e\n\u003cli\u003eThis out-of-bounds write corrupts adjacent memory regions within the application\u0026rsquo;s address space.\u003c/li\u003e\n\u003cli\u003eDepending on the overwritten memory, the attacker can potentially achieve arbitrary code execution or cause a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to various adverse consequences, including denial of service, information disclosure, or arbitrary code execution. Applications utilizing AES keywrap and accepting attacker-controlled buffer sizes are at the highest risk. The specific impact depends on the application\u0026rsquo;s memory layout and the attacker\u0026rsquo;s ability to control the overwritten memory. Given the widespread use of OpenSSL for cryptographic operations, this vulnerability poses a significant threat to vulnerable applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003erust-openssl\u003c/code\u003e crate to version 0.10.78 or later to patch the vulnerability as indicated in \u003ca href=\"https://github.com/advisories/GHSA-8c75-8mhr-p7r9\"\u003eGHSA-8c75-8mhr-p7r9\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eAudit code using \u003ccode\u003eaes::unwrap_key()\u003c/code\u003e to ensure input and output buffer sizes are validated correctly to prevent out-of-bounds writes.\u003c/li\u003e\n\u003cli\u003eImplement runtime memory protection mechanisms to detect and prevent out-of-bounds writes, mitigating the impact of this and similar vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-openssl-oob-write/","summary":"The rust-openssl package is vulnerable to an out-of-bounds write due to an incorrect bounds assertion in the `aes::unwrap_key()` function, potentially leading to arbitrary code execution if attacker-controlled buffer sizes are permitted.","title":"rust-openssl AES Key Wrap Out-of-Bounds Write Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-openssl-oob-write/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openssl"],"_cs_severities":["high"],"_cs_tags":["buffer overflow","rust","openssl","vulnerability"],"_cs_type":"advisory","_cs_vendors":["OpenSSL"],"content_html":"\u003cp\u003eThe \u003ccode\u003erust-openssl\u003c/code\u003e crate, a Rust wrapper for the OpenSSL library, is susceptible to a critical vulnerability (CVE-2026-41681) stemming from a buffer overflow within the \u003ccode\u003eMdCtxRef::digest_final()\u003c/code\u003e function. This flaw arises because \u003ccode\u003eEVP_DigestFinal()\u003c/code\u003e unconditionally writes \u003ccode\u003eEVP_MD_CTX_size(ctx)\u003c/code\u003e bytes to the provided output buffer (\u003ccode\u003eout\u003c/code\u003e), without verifying if the buffer\u0026rsquo;s allocated size is sufficient. Consequently, if \u003ccode\u003eout\u003c/code\u003e is smaller than the size dictated by \u003ccode\u003eEVP_MD_CTX_size(ctx)\u003c/code\u003e, a write-out-of-bounds condition occurs, potentially leading to stack corruption. The vulnerability is reachable from safe Rust code, making it a significant concern for applications utilizing the affected versions of the \u003ccode\u003erust-openssl\u003c/code\u003e crate. Specifically, versions 0.10.39 up to (but not including) 0.10.78 are affected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a Rust application that utilizes the \u003ccode\u003erust-openssl\u003c/code\u003e crate.\u003c/li\u003e\n\u003cli\u003eThe application initiates a digest operation using \u003ccode\u003eEVP_DigestInit()\u003c/code\u003e to set up the message digest context.\u003c/li\u003e\n\u003cli\u003eThe application feeds data into the digest context using \u003ccode\u003eEVP_DigestUpdate()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application calls \u003ccode\u003eMdCtxRef::digest_final()\u003c/code\u003e via safe Rust.\u003c/li\u003e\n\u003cli\u003eInternally, \u003ccode\u003eEVP_DigestFinal()\u003c/code\u003e is called without proper bounds checking.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEVP_DigestFinal()\u003c/code\u003e attempts to write \u003ccode\u003eEVP_MD_CTX_size(ctx)\u003c/code\u003e bytes to the \u003ccode\u003eout\u003c/code\u003e buffer.\u003c/li\u003e\n\u003cli\u003eIf \u003ccode\u003eout\u003c/code\u003e is smaller than the expected size, a stack-based buffer overflow occurs as data is written beyond the allocated memory region.\u003c/li\u003e\n\u003cli\u003eThis overflow overwrites adjacent memory on the stack, potentially corrupting critical program data or control flow structures, leading to crashes or arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to potentially achieve arbitrary code execution within the context of the affected application. This could lead to complete system compromise, data breaches, or denial-of-service conditions. Given that the vulnerability is reachable from safe Rust, applications relying on vulnerable versions of the \u003ccode\u003erust-openssl\u003c/code\u003e crate are at risk. The vulnerability can cause stack corruption, leading to unpredictable behavior and potential application crashes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003erust-openssl\u003c/code\u003e crate to version 0.10.78 or later to remediate CVE-2026-41681.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation and size checks when using the \u003ccode\u003erust-openssl\u003c/code\u003e crate, specifically when handling digest operations, to prevent buffer overflows.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-rust-openssl-buffer-overflow/","summary":"The rust-openssl crate is vulnerable to a stack-based buffer overflow (CVE-2026-41681) where the `EVP_DigestFinal()` function writes beyond the allocated buffer, potentially corrupting the stack, affecting versions \u003e= 0.10.39 and \u003c 0.10.78.","title":"rust-openssl Stack Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-03-rust-openssl-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openssl"],"_cs_severities":["high"],"_cs_tags":["openssl","buffer-overflow","rust","cryptography"],"_cs_type":"advisory","_cs_vendors":["OpenSSL"],"content_html":"\u003cp\u003eThe \u003ccode\u003erust-openssl\u003c/code\u003e crate, specifically the \u003ccode\u003eDeriver::derive\u003c/code\u003e and \u003ccode\u003ePkeyCtxRef::derive\u003c/code\u003e functions, is vulnerable to a heap/stack overflow when used in conjunction with OpenSSL version 1.1.x. This occurs because the \u003ccode\u003eEVP_PKEY_derive\u003c/code\u003e function in OpenSSL 1.1.x fails to properly validate the input buffer length when used with X25519, X448, DH, and HKDF-extract. These key derivation functions unconditionally write the full shared secret (32/56/prime-size bytes) regardless of the buffer size provided by the caller, leading to a buffer overflow if the provided slice is too small. This vulnerability affects rust-openssl versions \u0026gt;= 0.9.27 and \u0026lt; 0.10.78. This vulnerability is mitigated in OpenSSL 3.x because the providers check buffer length.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious application using the \u003ccode\u003erust-openssl\u003c/code\u003e crate.\u003c/li\u003e\n\u003cli\u003eThe application uses \u003ccode\u003eDeriver::derive\u003c/code\u003e or \u003ccode\u003ePkeyCtxRef::derive\u003c/code\u003e with an X25519, X448, DH, or HKDF-extract key agreement algorithm.\u003c/li\u003e\n\u003cli\u003eThe application provides a buffer smaller than the expected output size of the key derivation function (32 bytes for X25519, 56 bytes for X448, prime-size bytes for DH).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eEVP_PKEY_derive\u003c/code\u003e function in OpenSSL 1.1.x is called without proper buffer length validation.\u003c/li\u003e\n\u003cli\u003eThe key derivation function writes the full shared secret to the undersized buffer.\u003c/li\u003e\n\u003cli\u003eA heap or stack buffer overflow occurs, overwriting adjacent memory.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the application\u0026rsquo;s execution flow.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the target system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to arbitrary code execution within the context of the vulnerable application. This could allow an attacker to gain complete control of the affected system. The number of victims depends on the prevalence of vulnerable \u003ccode\u003erust-openssl\u003c/code\u003e versions being used with OpenSSL 1.1.x. Sectors that rely on \u003ccode\u003erust-openssl\u003c/code\u003e for cryptographic operations are at higher risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003erust-openssl\u003c/code\u003e crate to version \u0026gt;= 0.10.78 to patch the vulnerability (see Overview).\u003c/li\u003e\n\u003cli\u003eIf upgrading \u003ccode\u003erust-openssl\u003c/code\u003e is not immediately feasible, ensure that OpenSSL is upgraded to version 3.x, where the buffer length is checked (see Overview).\u003c/li\u003e\n\u003cli\u003eImplement runtime checks to validate buffer lengths before calling \u003ccode\u003eDeriver::derive\u003c/code\u003e and \u003ccode\u003ePkeyCtxRef::derive\u003c/code\u003e when using X25519, X448, DH, or HKDF-extract (see Attack Chain).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect potential exploitation attempts (see Rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-openssl-overflow/","summary":"The rust-openssl crate's `Deriver::derive` and `PkeyCtxRef::derive` functions can cause heap/stack overflows when used with OpenSSL 1.1.x due to insufficient buffer length validation in X25519, X448, DH, and HKDF-extract, affecting rust-openssl versions \u003e= 0.9.27 and \u003c 0.10.78.","title":"Heap/Stack Overflow in rust-openssl with OpenSSL 1.1.x","url":"https://feed.craftedsignal.io/briefs/2024-01-03-openssl-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — OpenSSL","version":"https://jsonfeed.org/version/1.1"}