Showing 1 - 5 of 5

CVE-2023-6129

Status Candidate

Overview

Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions. Impact summary: If an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL for PowerPC CPUs restores the contents of vector registers in a different order than they are saved. Thus the contents of some of these vector registers are corrupted when returning to the caller. The vulnerable code is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However unless the compiler uses the vector registers for storing pointers, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3. If this cipher is enabled on the server a malicious client can influence whether this AEAD cipher is used. This implies that TLS server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue.

Related Files

Ubuntu Security Notice USN-6622-1: Posted Feb 5, 2024; Authored by Ubuntu | Site security.ubuntu.com; Ubuntu Security Notice 6622-1 - David Benjamin discovered that OpenSSL incorrectly handled excessively long X9.42 DH keys. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, leading to a denial of service. Sverker Eriksson discovered that OpenSSL incorrectly handled POLY1304 MAC on the PowerPC architecture. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 22.04 LTS and Ubuntu 23.04.; tags | advisory, remote, denial of service, arbitrary; systems | linux, ubuntu; advisories | CVE-2023-5678, CVE-2023-6129, CVE-2023-6237, CVE-2024-0727; SHA-256 | ff69da46815898e29a74d2a9b2e923d655291a8edb80d059ecf7a44b3dc0eeb1; Download | Favorite | View

OpenSSL Toolkit 3.2.1: Posted Jan 31, 2024; Site openssl.org; OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide. The latest stable version is the 3.2 series supported until 23rd November 2025.; Changes: 5 security issues have been addressed.; tags | tool, encryption, protocol; systems | unix; advisories | CVE-2023-5678, CVE-2023-6129, CVE-2023-6237, CVE-2024-0727; SHA-256 | 83c7329fe52c850677d75e5d0b0ca245309b97e8ecbcfdc1dfdc4ab9fac35b39; Download | Favorite | View

OpenSSL Toolkit 3.1.5: Posted Jan 31, 2024; Site openssl.org; OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide. The 3.1 series is supported until 14th March 2025.; Changes: 5 security issues have been addressed.; tags | tool, encryption, protocol; systems | unix; advisories | CVE-2023-5678, CVE-2023-6129, CVE-2023-6237, CVE-2024-0727; SHA-256 | 6ae015467dabf0469b139ada93319327be24b98251ffaeceda0221848dc09262; Download | Favorite | View

OpenSSL Toolkit 3.0.13: Posted Jan 31, 2024; Site openssl.org; OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide. The 3.0 series is a Long Term Support (LTS) version and is supported until 7th September 2026.; Changes: 5 security issues have been addressed.; tags | tool, encryption, protocol; systems | unix; advisories | CVE-2023-5678, CVE-2023-6129, CVE-2023-6237, CVE-2024-0727; SHA-256 | 88525753f79d3bec27d2fa7c66aa0b92b3aa9498dafd93d7cfa4b3780cdae313; Download | Favorite | View

OpenSSL Security Advisory 20240109: Posted Jan 9, 2024; Site openssl.org; OpenSSL Security Advisory 20240109 - The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions.; tags | advisory; advisories | CVE-2023-6129; SHA-256 | 96d61a8c58cb14bf75cc794f7eb487fcc526fb0873fe97c3c9779d86fc65cb31; Download | Favorite | View

Page 1 of 1 Back 1 Next

Top Authors In Last 30 Days

Red Hat 204 files
Ubuntu 52 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 10 files
nu11secur1ty 7 files
Google Security Research 6 files
Milad Karimi 5 files
Jann Horn 4 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,023)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,346)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,586)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,464)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

CVE-2023-6129

Overview

Related Files

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems