Name of the Vulnerable Software and Affected Versions
OpenSSL versions 1.1.1, 3.0, 3.3, 3.4, 3.5 and 3.6
Description
A flaw exists in the handling of maliciously crafted PKCS#12 files when using the
PKCS12 get friendlyname()
API. Specifically, processing a PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code points can lead to a one-byte write before the allocated buffer. This out-of-bounds write can cause memory corruption, potentially resulting in a Denial of Service. The issue stems from an incorrect capacity calculation within the
bmp to utf8()
function during the UTF-16 to UTF-8 conversion process, specifically when handling BMP code points above U+07FF. The
OPENSSL uni2utf8()
function is involved in this conversion. The vulnerability is triggered when parsing attacker-controlled PKCS#12 files via the public
PKCS12 get friendlyname()
API. The FIPS modules in versions 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected.
Recommendations
OpenSSL version 1.1.1: At the moment, there is no information about a newer version that contains a fix for this vulnerability.
OpenSSL version 3.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability.
OpenSSL version 3.3: At the moment, there is no information about a newer version that contains a fix for this vulnerability.
OpenSSL version 3.4: At the moment, there is no information about a newer version that contains a fix for this vulnerability.
OpenSSL version 3.5: At the moment, there is no information about a newer version that contains a fix for this vulnerability.
OpenSSL version 3.6: At the moment, there is no information about a newer version that contains a fix for this vulnerability.