OpenSSL Out-of-Bounds Read and Write Vulnerability in CMS Decryption

A vulnerability exists in OpenSSL versions 3.5, 3.4, 3.3, 3.2, 3.0, 1.1.1, and 1.0.2, specifically within the CMS (Cryptographic Message Syntax) implementation that supports password-based encryption. When an application attempts to decrypt CMS messages encrypted with this method, it can inadvertently cause an out-of-bounds read and write. This flaw may lead to a crash, causing a denial-of-service condition for the application. Additionally, the out-of-bounds write can corrupt memory, potentially allowing for a denial-of-service situation or the execution of attacker-supplied code.

Impact

Exploitation of this vulnerability can cause a crash, leading to a denial-of-service condition for the application. The memory corruption resulting from the out-of-bounds write can also be exploited to execute arbitrary code.

Reproduction

To reproduce this vulnerability, an application must be created that uses the OpenSSL library to decrypt CMS messages encrypted with password-based encryption. This can be done by setting the 'no_proxy' environment variable and sending a crafted CMS message that exploits the vulnerability during the decryption process.

Remediation

Users of OpenSSL 3.5 should upgrade to OpenSSL 3.5.4. Users of OpenSSL 3.4 should upgrade to OpenSSL 3.4.3. Users of OpenSSL 3.3 should upgrade to OpenSSL 3.3.5. Users of OpenSSL 3.2 should upgrade to OpenSSL 3.2.6. Users of OpenSSL 3.0 should upgrade to OpenSSL 3.0.18. Users of OpenSSL 1.1.1 should upgrade to OpenSSL 1.1.1zd (premium support customers only). Users of OpenSSL 1.0.2 should upgrade to OpenSSL 1.0.2zm (premium support customers only).