Haiyang Huang

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers. This allows attackers to achieve key-equivalent functionality for a CMS recipient or bypass integrity validation for a message. In one scenario, an attacker can send a CMS message where the cipher is specified as a non-AEAD (Authenticated Encryption with Associated Data) cipher. If an attacker captures a legitimate AES-GCM AuthEnvelopedData message, they can rewrite the inner OID to AES-256-OFB (an unauthenticated keystream mode) with a chosen IV and ciphertext. If the application provides feedback on the success or failure of the decryption, it can act as an oracle to obtain key-equivalent functionality for the `CEK` (content-encryption key). Additionally, an attacker can reduce the tag length of an AEAD cipher to a single byte, enabling a brute-force attack to bypass integrity checks in applications relying on the `CMS decrypt()` function to reject modified content. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.