Norbert Pócs

**Name of the Vulnerable Software and Affected Versions** OpenSSL FIPS modules versions 3.0, 3.4, 3.5, 3.6, and 4.0 **Description** When the `EVP PKEY derive set peer()` function is called with a DHX (X9.42) peer key, the software fails to properly verify subgroup membership. Specifically, the check `Y^q ≡ 1 (mod p)` is performed using the `q` parameter provided by the peer instead of the local key's `q` parameter. While other domain parameters are matched against the private key, the `q` value is not compared. This allows a malicious peer to present an X9.42 key with the victim's `p` and `g` parameters, a forged `q` equal to `r` (a small prime factor of the cofactor `(p−1)/q local`), and a public value `Y` of order `r`. This bypasses checks and results in a shared secret with only `r` distinct values, leaking the private key modulo `r`. By repeating this process for each small-prime factor of the cofactor and combining the results via the Chinese Remainder Theorem (CRT), an attacker can recover the full private key. This is known as a Lim–Lee or small-subgroup-confinement attack. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 1.1.1, 3.0, 3.3, 3.4, 3.5 and 3.6 **Description** A flaw exists in the handling of maliciously crafted PKCS#12 files when using the `PKCS12 get friendlyname()` API. Specifically, processing a PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code points can lead to a one-byte write before the allocated buffer. This out-of-bounds write can cause memory corruption, potentially resulting in a Denial of Service. The issue stems from an incorrect capacity calculation within the `bmp to utf8()` function during the UTF-16 to UTF-8 conversion process, specifically when handling BMP code points above U+07FF. The `OPENSSL uni2utf8()` function is involved in this conversion. The vulnerability is triggered when parsing attacker-controlled PKCS#12 files via the public `PKCS12 get friendlyname()` API. The FIPS modules in versions 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected. **Recommendations** OpenSSL version 1.1.1: At the moment, there is no information about a newer version that contains a fix for this vulnerability. OpenSSL version 3.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. OpenSSL version 3.3: At the moment, there is no information about a newer version that contains a fix for this vulnerability. OpenSSL version 3.4: At the moment, there is no information about a newer version that contains a fix for this vulnerability. OpenSSL version 3.5: At the moment, there is no information about a newer version that contains a fix for this vulnerability. OpenSSL version 3.6: At the moment, there is no information about a newer version that contains a fix for this vulnerability.