Tom Colley

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 3.0.0 through 3.0.2 **Description** The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key, making the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check. Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0 endpoint will always be rejected by the recipient and the connection will fail at that point. Many application protocols require data to be sent from the client to the server first. Therefore, in such a case, only an OpenSSL 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client. If both endpoints are OpenSSL 3.0, then the attacker could modify data being sent in both directions. In this case, both clients and servers could be affected, regardless of the application protocol. The confidentiality of data is not impacted by this issue, i.e., an attacker cannot decrypt data that has been encrypted using this ciphersuite - they can only modify it. **Recommendations** To resolve the issue, update to OpenSSL version 3.0.3 or later. For versions 3.0.0, 3.0.1, and 3.0.2, consider disabling the RC4-MD5 ciphersuite as a temporary workaround until a patch is available. Restrict access to the vulnerable ciphersuite to minimize the risk of exploitation. Avoid using the RC4-MD5 ciphersuite in SSL/TLS connections until the issue is resolved.