PT-2023-28598 · Aes-Gcm+1 · Aes-Gcm+1

Nandita-V

Publicado

2023-09-22

Atualizado

2024-06-15

CVE-2023-42811

CVSS v3.1

4.7

Média

Vetor

AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:N

Name of the Vulnerable Software and Affected Versions aes-gcm versions 0.10.0 through 0.10.2

Description The issue concerns the AES GCM implementation of decrypt in place detached, where the decrypted ciphertext is exposed even if tag verification fails. This can enable Chosen Ciphertext Attacks (CCAs), potentially causing a catastrophic breakage of the cipher, including full plaintext recovery.

Recommendations For versions 0.10.0 through 0.10.2, update to version 0.10.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the decrypt in place detached function until a patch is available. Avoid using the decrypt in place* APIs in a way that accesses the buffer after decryption failure, as this may expose the decrypted ciphertext.

Exploit

Correção

Improper Verification of Cryptographic Signature

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-347

Identificadores relacionados

CVE-2023-42811

GHSA-423W-P2W9-R7VQ

OPENSUSE-SU-2023_4060-1

OPENSUSE-SU-2024:13315-1

RUSTSEC-2023-0096

SUSE-SU-2023:4060-1

SUSE-SU-2023_4060-1

Produtos afetados

Suse

Aes-Gcm

PT-2023-28598 · Aes-Gcm+1 · Aes-Gcm+1

CVE-2023-42811

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 19