Skip to content

Buffer overflow in deserialization

High
dstebila published GHSA-pqvr-5cr8-v6fx Jun 15, 2024

Package

oqs-provider

Affected versions

<= 0.6.0

Patched versions

latest "main" branch and releases > 0.6.0

Description

oqs-provider is a provider for the OpenSSL 3 cryptography library that adds support for post-quantum cryptography in TLS, X.509, and S/MIME using post-quantum algorithms from liboqs.

Impact

Flaws have been identified in the way oqs-provider handles lengths decoded with DECODE_UINT32 at the start of serialized hybrid (traditional + post-quantum) keys and signatures. Unchecked length values are later used for memory reads and writes; malformed input can lead to crashes or information leakage.

Handling of plain/non-hybrid PQ key operation is not affected.

Patches

Fixed in v0.6.1.

Workarounds

None; users must upgrade to v0.6.1.

References

#416

Further details

DECODE_UINT32 is called on user-provided input without any length checks and the decoded classical key lengths and signature lengths are later used for memory reads and writes without any (or very limited) control. This mainly occurs in oqsx_key_op and oqs_sig_verify, as they are provided char * user input. This is the most severe security issue as outsiders could cause crashes or information leakage by providing malformed input.

DECODE_UINT32 is often used to load uint32 values into int's and other integer types, which could cause integer overflows and similar problems as above. This could also be easily exploited.

The patch fixing these problems also adds limited length checks where DECODE_UINT32 is called on an OQSX_KEY hybrid key's private key or public key, just to make sure erroneous behavior is avoided.

Credits

Thank you to Bence Mali, Gergely Nagy, and Zoltán Kővágó of Tresorit for identifying the issue and providing the patch to address it.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

CVE ID

CVE-2024-37305

Weaknesses

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. Learn more on MITRE.

Improper Handling of Length Parameter Inconsistency

The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data. Learn more on MITRE.

Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. Learn more on MITRE.

Integer Overflow to Buffer Overflow

The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow. Learn more on MITRE.

Buffer Access with Incorrect Length Value

The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer. Learn more on MITRE.

Credits