Alex Gaynor

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** PKCS#12 file processing fails to perform sufficient input validation for files using the Password-Based Message Authentication Code 1 (PBMAC1) integrity mechanism. This allows an attacker to create unencrypted PKCS#12 files that specify an HMAC key of only one byte. Consequently, a service reading these files may accept forged certificates and private keys with a 1 in 256 probability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 3.0 through 3.3 **Description** The implementations of AES-SIV and AES-GCM-SIV mishandle the authentication of Additional Authenticated Data (AAD) when the ciphertext is empty, which allows for the forgery of such messages. In the provider implementation of these ciphers, the expected tag is only computed when the decryption function is invoked with non-empty data. If a caller provides AAD and then calls the `EVP DecryptFinal ex()` function without updating the ciphertext (which occurs when the received ciphertext length is zero), the tag is not recalculated and retains an all-zeros value. Consequently, for AES-GCM-SIV, an attacker can pass authentication using arbitrary AAD, an empty ciphertext, and an all-zeros tag without knowing the key. For AES-SIV, the attack requires the application to reuse the decryption context without resetting the key. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** When using the AES-OCB cipher with the one-shot `EVP Cipher()` interface, the application-supplied initialisation vector (IV) is silently discarded. This causes every message encrypted with the same key to use the same effective nonce, leading to (key, nonce) reuse and a loss of confidentiality. If the same path is used to compute the authentication tag, the tag depends only on the (key, IV) pair rather than the plaintext or ciphertext, which allows for universal forgery of arbitrary ciphertext from a single captured message. This occurs because the one-shot handler fails to flush the IV into the OCB context, unlike the streaming handler. If `EVP EncryptFinal ex()` is later used to obtain the authentication tag, the deferred IV setup clears the running checksum that should have been accumulated over the plaintext. **Recommendations** Avoid using the `EVP Cipher()` one-shot API with the AES-OCB cipher and instead use the documented streaming AEAD API consisting of `EVP CipherUpdate()` and `EVP CipherFinal ex()`.

**Name of the Vulnerable Software and Affected Versions** OpenSSL FIPS modules versions 3.0, 3.4, 3.5, 3.6, and 4.0 **Description** When the `EVP PKEY derive set peer()` function is called with a DHX (X9.42) peer key, the software fails to properly verify subgroup membership. Specifically, the check `Y^q ≡ 1 (mod p)` is performed using the `q` parameter provided by the peer instead of the local key's `q` parameter. While other domain parameters are matched against the private key, the `q` value is not compared. This allows a malicious peer to present an X9.42 key with the victim's `p` and `g` parameters, a forged `q` equal to `r` (a small prime factor of the cofactor `(p−1)/q local`), and a public value `Y` of order `r`. This bypasses checks and results in a shared secret with only `r` distinct values, leaking the private key modulo `r`. By repeating this process for each small-prime factor of the cofactor and combining the results via the Chinese Remainder Theorem (CRT), an attacker can recover the full private key. This is known as a Lim–Lee or small-subgroup-confinement attack. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** An error in the callback used to verify certificates during a Root CA key update in the Certificate Management Protocol (CMP) renders certificate validation ineffectual. Specifically, a typo in the certificate chain building code within the `OSSL CMP get1 rootCaKeyUpdate()` function causes an incorrect certificate (`newWithOld` instead of `oldRoot`) to be added to the chain. This allows an attacker with valid Registration Authority (RA) level credentials to bypass signature verification and replace the root CA certificate for CMP clients with an arbitrary self-signed certificate, effectively escalating credentials to the root Certification Authority level. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** The `CMS decrypt()` and `PKCS7 decrypt()` functions are susceptible to a Bleichenbacher-style attack, which is an adaptive-chosen-ciphertext side channel. This allows an attacker to use a vulnerable application to decrypt or sign messages using the victim's private RSA key. The issue occurs in two scenarios: first, when the decryption API is used without a recipient certificate, OpenSSL iterates through every `KeyTransRecipientInfo` (KTRI) without stopping at the first success; second, when a recipient certificate is provided but the recipient is not found, a random key is substituted. In both cases, if an attacker can observe error codes or decryption output, they can establish an oracle to decrypt RSA ciphertexts or forge PKCS#1 v1.5 signatures. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers. This allows attackers to achieve key-equivalent functionality for a CMS recipient or bypass integrity validation for a message. In one scenario, an attacker can send a CMS message where the cipher is specified as a non-AEAD (Authenticated Encryption with Associated Data) cipher. If an attacker captures a legitimate AES-GCM AuthEnvelopedData message, they can rewrite the inner OID to AES-256-OFB (an unauthenticated keystream mode) with a chosen IV and ciphertext. If the application provides feedback on the success or failure of the decryption, it can act as an oracle to obtain key-equivalent functionality for the `CEK` (content-encryption key). Additionally, an attacker can reduce the tag length of an AEAD cipher to a single byte, enabling a brute-force attack to bypass integrity checks in applications relying on the `CMS decrypt()` function to reject modified content. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions OpenSSL FIPS Module version 3.6 Description Applications utilizing AES-CFB128 encryption or decryption on systems equipped with AVX-512 and VAES support may experience an out-of-bounds read of up to 15 bytes when handling partial cipher blocks. This can lead to a denial of service if the input buffer is at a memory page boundary and the subsequent page is unmapped. The issue occurs only when processing partial blocks and on x86-64 systems with AVX-512 and VAES instruction support. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 149 Thunderbird versions prior to 149 **Description** An undefined behavior issue exists in the Audio/Video component. This can lead to unexpected program behavior. **Recommendations** Update Firefox to version 149 or later. Update Thunderbird to version 149 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 149 Thunderbird versions prior to 149 **Description** A use-after-free issue exists in the JavaScript Engine component. This condition may allow for unexpected behavior. **Recommendations** Update Firefox to version 149 or later. Update Thunderbird to version 149 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 149 Firefox ESR versions prior to 140.9 Thunderbird versions prior to 149 Thunderbird versions prior to 140.9 **Description** A denial-of-service issue exists in the WebRTC: Signaling component. **Recommendations** Update Firefox to version 149 or later. Update Firefox ESR to version 140.9 or later. Update Thunderbird to version 149 or later. Update Thunderbird to version 140.9 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 149 Firefox ESR versions prior to 140.9 Thunderbird versions prior to 149 Thunderbird versions prior to 140.9 **Description** An undefined behavior exists within the WebRTC: Signaling component. This issue impacts the listed versions of Firefox and Thunderbird. **Recommendations** Update Firefox to version 149 or later. Update Firefox ESR to version 140.9 or later. Update Thunderbird to version 149 or later. Update Thunderbird to version 140.9 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 149 Firefox ESR versions prior to 140.9 Thunderbird versions prior to 149 Thunderbird versions prior to 140.9 **Description** An undefined behavior exists within the WebRTC: Signaling component. This issue impacts the listed software. **Recommendations** Update Firefox to version 149 or later. Update Firefox ESR to version 140.9 or later. Update Thunderbird to version 149 or later. Update Thunderbird to version 140.9 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 66 Firefox ESR versions prior to 60.6 Thunderbird versions prior to 60.6 **Description** The issue is related to memory safety bugs and buffer copying without checking the size of input data, which could potentially be exploited to run arbitrary code. This may lead to memory corruption. **Recommendations** For Firefox versions prior to 66, update to version 66 or later. For Firefox ESR versions prior to 60.6, update to version 60.6 or later. For Thunderbird versions prior to 60.6, update to version 60.6 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 65 **Description** The issue is related to a buffer overflow in memory, which can be exploited by a remote attacker using a specially crafted web page. This could potentially allow the execution of arbitrary code or cause a denial of service. The estimated number of potentially affected devices worldwide is not specified. There is evidence of memory corruption, and it is presumed that some of these bugs could be exploited with enough effort. **Recommendations** For versions prior to 65, update to version 65 or later to resolve the issue. As a temporary workaround, consider restricting access to potentially vulnerable web pages until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 65 Firefox ESR versions prior to 60.5 Thunderbird versions prior to 60.5 **Description** The issue is related to memory safety bugs, including evidence of memory corruption, which could potentially be exploited to run arbitrary code. This is due to a buffer overflow in memory, allowing a remote attacker to cause a denial of service or execute arbitrary code using a specially crafted web page. **Recommendations** For Firefox versions prior to 65, update to version 65 or later. For Firefox ESR versions prior to 60.5, update to version 60.5 or later. For Thunderbird versions prior to 60.5, update to version 60.5 or later.

Name of the Vulnerable Software and Affected Versions: Firefox versions prior to 64 Description: The issue is related to memory safety bugs, including evidence of memory corruption, which could potentially be exploited to run arbitrary code. It is also described as a buffer overflow vulnerability in memory, allowing a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. Recommendations: For versions prior to 64, update to version 64 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive data and minimizing browser usage until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 62 Firefox ESR versions prior to 60.2 Thunderbird versions prior to 60.2.1 **Description** The issue is caused by memory safety bugs, including evidence of memory corruption, which could potentially be exploited to run arbitrary code with enough effort. This affects various versions of Firefox, Firefox ESR, and Thunderbird. **Recommendations** For Firefox versions prior to 62, update to version 62 or later. For Firefox ESR versions prior to 60.2, update to version 60.2 or later. For Thunderbird versions prior to 60.2.1, update to version 60.2.1 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions 60 and earlier Firefox ESR versions 60 and earlier, 52.8 and earlier Thunderbird versions 60 and earlier, 52.9 and earlier **Description** The issue is caused by memory safety bugs, including buffer overflow in memory, which can lead to memory corruption. It is presumed that with sufficient effort, some of these bugs could be exploited to run arbitrary code. This can be achieved by a remote attacker using a specially crafted web page. **Recommendations** For Firefox versions 60 and earlier, update to version 61 or later. For Firefox ESR versions 60 and earlier, update to version 60.1 or later. For Firefox ESR versions 52.8 and earlier, update to version 52.9 or later. For Thunderbird versions 60 and earlier, update to version 60.1 or later. For Thunderbird versions 52.9 and earlier, update to version 52.9.1 or later. As a temporary workaround, consider restricting access to potentially vulnerable web pages until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 61 Firefox ESR versions prior to 60.1 Thunderbird versions prior to 60 **Description** The issue is related to an invalid grid size during QCMS transformations, which can result in an out-of-bounds read. This could allow a remote attacker to leak protected information by reading beyond buffer boundaries. **Recommendations** For Firefox versions prior to 61, update to version 61 or later to resolve the issue. For Firefox ESR versions prior to 60.1, update to version 60.1 or later to resolve the issue. For Thunderbird versions prior to 60, update to version 60 or later to resolve the issue.