CVE-2023-4807

Name of the Vulnerable Software and Affected Versions OpenSSL (affected versions not specified)

Description The POLY1305 MAC implementation in OpenSSL contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X86 64 processors supporting the AVX512-IFMA instructions. If an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application-dependent consequences. The consequences of this kind of internal application state corruption can be various, from no consequences to the worst consequences, where the attacker could get complete control of the application process. However, given the contents of the registers are just zeroized, the most likely consequence would be an incorrect result of some application-dependent calculations or a crash leading to a denial of service.

Recommendations As a workaround, the AVX512-IFMA instructions support can be disabled at runtime by setting the environment variable OPENSSL ia32cap: OPENSSL ia32cap=:~0x200000 At the moment, there is no information about a newer version that contains a fix for this vulnerability.