Viktor Dukhovni

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** A signed integer overflow occurs when sizing the destination buffer for Unicode output in the `ASN1 mbstring ncopy()` function, which can lead to a heap buffer overflow. This happens in `ASN1 mbstring copy()` and `ASN1 mbstring ncopy()` because the destination size for Unicode output is computed as a signed integer. Specifically, the calculation overflows when the input reaches approximately 2^30 characters through a left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), or by summing per-character byte counts for UTF8STRING. In the worst-case scenario involving UNIVERSALSTRING at 2^30 characters, the size wraps to zero, resulting in a minimal allocation that is subsequently overwritten by several gigabytes of data. This may lead to a crash, undefined behavior, or attacker-controlled code execution. Triggering this issue requires an application to call `ASN1 mbstring copy()` or `ASN1 mbstring ncopy()` directly, or register a custom string type via `ASN1 STRING TABLE add()` with attacker-controlled input of half a gigabyte or more. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** When using the AES-OCB cipher with the one-shot `EVP Cipher()` interface, the application-supplied initialisation vector (IV) is silently discarded. This causes every message encrypted with the same key to use the same effective nonce, leading to (key, nonce) reuse and a loss of confidentiality. If the same path is used to compute the authentication tag, the tag depends only on the (key, IV) pair rather than the plaintext or ciphertext, which allows for universal forgery of arbitrary ciphertext from a single captured message. This occurs because the one-shot handler fails to flush the IV into the OCB context, unlike the streaming handler. If `EVP EncryptFinal ex()` is later used to obtain the authentication tag, the deferred IV setup clears the running checksum that should have been accumulated over the plaintext. **Recommendations** Avoid using the `EVP Cipher()` one-shot API with the AES-OCB cipher and instead use the documented streaming AEAD API consisting of `EVP CipherUpdate()` and `EVP CipherFinal ex()`.

**Name of the Vulnerable Software and Affected Versions** OpenSSL FIPS modules versions 3.0, 3.4, 3.5, 3.6, and 4.0 **Description** When the `EVP PKEY derive set peer()` function is called with a DHX (X9.42) peer key, the software fails to properly verify subgroup membership. Specifically, the check `Y^q ≡ 1 (mod p)` is performed using the `q` parameter provided by the peer instead of the local key's `q` parameter. While other domain parameters are matched against the private key, the `q` value is not compared. This allows a malicious peer to present an X9.42 key with the victim's `p` and `g` parameters, a forged `q` equal to `r` (a small prime factor of the cofactor `(p−1)/q local`), and a public value `Y` of order `r`. This bypasses checks and results in a shared secret with only `r` distinct values, leaking the private key modulo `r`. By repeating this process for each small-prime factor of the cofactor and combining the results via the Chinese Remainder Theorem (CRT), an attacker can recover the full private key. This is known as a Lim–Lee or small-subgroup-confinement attack. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** An integer truncation in the ASN.1 decoder occurs when parsing a crafted DER-encoded ASN.1 structure with a primitive element exceeding 2 gigabytes in length. This issue specifically affects 64-bit Unix and Unix-like platforms. The truncated length may be treated as a request to scan binary content for a terminating zero byte, leading to a heap buffer over-read. This can result in a Denial of Service by crashing the application or cause memory beyond the input buffer to be loaded into the decoded ASN.1 object. Applications that pass attacker-supplied data to decoding functions such as "d2i X509()", "d2i PKCS7()", or any other "d2i *" functions are affected. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** versions not specified **Description** An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. A use after free can lead to data corruption, crashes, or arbitrary code execution. The issue affects clients that use TLSA records with both PKIX-TA(0/PKIX-EE(1)) and DANE-TA(2) certificate usages. Clients that treat PKIX TLSA records as unusable or support only PKIX usages are not vulnerable. The client must also communicate with a server publishing a TLSA RRset with both types of TLSA records. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 3.5 and 3.6 OpenSSL versions prior to 3.4 OpenSSL versions prior to 3.3 OpenSSL versions prior to 3.0 OpenSSL versions prior to 1.0.2 OpenSSL versions prior to 1.1.1 **Description** An issue exists in OpenSSL TLS 1.3 servers where the server may fail to negotiate the expected preferred key exchange group when its key exchange group configuration includes the default by using the 'DEFAULT' keyword. This can result in a less preferred key exchange being used, even when a more secure group is supported by both the client and server, if the preferred group was not included in the client's initial keyshare predictions. This is particularly relevant with new hybrid post-quantum groups, where the client might defer their use until specifically requested by the server. The root cause is an implementation defect that causes the 'DEFAULT' list to lose its 'tuple' structure, treating all server-supported groups as a single sufficiently secure tuple, and preventing the server from sending a Hello Retry Request (HRR) when a more preferred group is mutually supported. The issue does not affect OpenSSL FIPS modules. **Recommendations** OpenSSL version 3.6 users should upgrade to OpenSSL 3.6.2 once it is released. OpenSSL version 3.5 users should upgrade to OpenSSL 3.5.6 once it is released. OpenSSL versions prior to 3.4 should be upgraded. OpenSSL versions prior to 3.3 should be upgraded. OpenSSL versions prior to 3.0 should be upgraded. OpenSSL versions prior to 1.0.2 should be upgraded. OpenSSL versions prior to 1.1.1 should be upgraded.

**Name of the Vulnerable Software and Affected Versions:** OpenSSL versions prior to 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.1.1zd, and 1.0.2zm. **Description:** OpenSSL contains vulnerabilities due to out-of-bounds read and write issues. Specifically, an out-of-bounds read and write can occur when decrypting CMS messages encrypted using password-based encryption, potentially leading to a crash or memory corruption. Additionally, an out-of-bounds read can occur in the HTTP client API functions when the 'no proxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address. The FIPS modules in OpenSSL versions 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected. **Recommendations:** Upgrade OpenSSL to version 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.1.1zd, or 1.0.2zm to address these vulnerabilities.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 3.2 through 3.4 **Description** The issue arises when TLS clients explicitly enable the use of Raw Public Keys (RPKs) by the server, and the server enables sending of an RPK instead of an X.509 certificate chain. Clients that rely on the handshake to fail when the server's RPK fails to match one of the expected public keys, by setting the verification mode to SSL VERIFY PEER, may not notice that the server was not authenticated. This could lead to man-in-the-middle attacks on TLS and DTLS connections using RPKs. RPKs are disabled by default in both TLS clients and TLS servers. The FIPS modules in versions 3.0, 3.1, 3.2, 3.3, and 3.4 are not affected by this issue. It is estimated that over 71 million services may be vulnerable. **Recommendations** To resolve the issue, upgrade to version 3.2.4, 3.3.2, or 3.4.1, as these versions have the vulnerability patched. For versions 3.2, 3.3, and 3.4, upgrade to the respective patched versions to prevent man-in-the-middle attacks. As a temporary workaround, consider disabling the use of RPKs until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the `SSL VERIFY PEER` verification mode in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 3.5 and 3.6 **Description** The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error. This can lead a user to believe an entire file is authenticated when trailing data beyond 16MB remains unauthenticated. The issue affects only the command-line tool behavior and does not impact verifiers that process the full message using library APIs. Streaming digest algorithms for 'openssl dgst' and library users are also unaffected. The issue occurs when using one-shot signing algorithms such as Ed25519, Ed448, or ML-DSA. The tool truncates the input to the first 16MB and continues without signaling an error, creating an integrity gap where trailing bytes can be modified without detection if both signing and verification are performed using the same affected codepath. **Recommendations** OpenSSL version 3.5: Avoid signing or verifying files larger than 16MB with one-shot signing algorithms using the 'openssl dgst' command-line tool. OpenSSL version 3.6: Avoid signing or verifying files larger than 16MB with one-shot signing algorithms using the 'openssl dgst' command-line tool.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions prior to 3.0.15 IBM AIX (affected versions not specified) **Description** The issue is related to a denial of service in X.509 name checks. Applications performing certificate name checks, such as TLS clients checking server certificates, may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Basic certificate chain validation is not affected, and the denial of service can occur only when the application also specifies an expected DNS name, Email address, or IP address. TLS servers are generally not affected, and the severity of the issue is Moderate. **Recommendations** For OpenSSL versions prior to 3.0.15, update to version 3.0.15 or later to resolve the issue. For IBM AIX, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: OpenSSL versions prior to 3.3.3 Description: The issue arises from the use of low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial, leading to out-of-bounds memory reads or writes. This can cause an application crash or potentially allow for remote code execution. However, the likelihood of a vulnerable application is low, as most protocols involving Elliptic Curve Cryptography either support only "named curves" or specify an X9.62 encoding of binary (GF(2^m)) curves that cannot represent problematic input values. The affected APIs include `EC GROUP new curve GF2m()`, `EC GROUP new from params()`, and various supporting `BN GF2m *()` functions. Recommendations: For versions prior to 3.3.3, update to version 3.3.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of the vulnerable `EC GROUP new curve GF2m()` and `EC GROUP new from params()` functions, as well as the supporting `BN GF2m *()` functions, until a patch is available. Avoid using "exotic" explicit binary (GF(2^m)) curve parameters that can represent invalid field polynomials with a zero constant term.

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. This occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. The read buffer overrun might result in a crash, which could lead to a denial of service attack. In theory, it could also result in the disclosure of private memory contents, such as private keys or sensitive plaintext, although no working exploit leading to memory contents disclosure is known at the time of release of this advisory. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) MySQL Server versions 5.7.41 and earlier, 8.0.32 and earlier **Description** The public API function BIO new NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO f asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the internal function B64 write ASN1() which may cause BIO new NDEF() to be called and will subsequently call BIO pop() on the BIO. Other public API functions that may be impacted by this include i2d ASN1 bio stream, BIO new CMS, BIO new PKCS7, i2d CMS bio stream and i2d PKCS7 bio stream. **Recommendations** For OpenSSL, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For MySQL Server versions 5.7.41 and earlier, 8.0.32 and earlier, update to a version that is not affected by this vulnerability. As a temporary workaround, consider disabling the `BIO new NDEF()` function until a patch is available. Restrict access to the vulnerable module `BIO f asn1` to minimize the risk of exploitation. Avoid using the `BIO pop()` function on the BIO until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 3.0.0 through 3.0.6 **Description** A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. This occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.` character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. **Recommendations** Update to OpenSSL version 3.0.7 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable function `ossl a2ulabel()` until a patch is available. Avoid using the `.` character in email addresses in certificates to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Heimdal versions prior to 7.4 **Description** The issue is related to the ` krb5 extract ticket()` function, which obtains service-principal names in a way that violates the Kerberos 5 protocol specification. This allows remote attackers to impersonate services with Orpheus' Lyre attacks. The problem arises because the function uses the unencrypted version of the service name stored in `ticket` instead of the encrypted version stored in `enc part`. This provides an opportunity for successful server impersonation and other attacks. **Recommendations** For Heimdal versions prior to 7.4, update to version 7.4 or later to resolve the issue. As a temporary workaround, consider modifying the ` krb5 extract ticket()` function to obtain the KDC-REP service name from the encrypted version stored in `enc part` instead of the unencrypted version stored in `ticket`. Restrict access to sensitive data and services until the update is applied to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows versions prior to the fixed version **Description** A security-feature bypass issue allows attackers to affect the system. This issue is related to Kerberos failing to prevent tampering with the SNAME field during ticket exchange. **Recommendations** For Microsoft Windows versions prior to the fixed version, update to a version that includes the fix for this issue to prevent attackers from bypassing Extended Protection for Authentication. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apple OS X versions prior to 10.11.5 **Description** The issue is related to the lack of protection for internal data in the Tcl component of the operating system. It can be exploited by a remote attacker to obtain sensitive information by leveraging SSLv2 support. **Recommendations** For Apple OS X versions prior to 10.11.5, update to version 10.11.5 or later to resolve the issue. As a temporary workaround, consider disabling SSLv2 support to minimize the risk of exploitation.