CryptoLib Memory Leak Vulnerability in KMC Encryption Function

A memory leak vulnerability has been identified in CryptoLib versions prior to 1.4.3. The issue arises in the 'cryptography_encrypt()' function, which allocates multiple buffers for handling HTTP requests and JSON parsing. These buffers are not freed on any execution path, leading to a memory leak of approximately 400 bytes per call. This leak accumulates over time, and under sustained traffic, can exhaust available memory, causing performance degradation or out-of-memory conditions.

Impact

Exploitation of this vulnerability leads to a gradual exhaustion of system memory. Each call to the 'cryptography_encrypt()' function leaks around 400 bytes, and this unaddressed accumulation can disrupt system performance or result in out-of-memory errors.

Reproduction

The vulnerability can be reproduced by using the 'cryptography_encrypt()' function in the KMC (Key Management Center) encryption context. This can be done by sending encryption requests to a mock KMC server that simulates the expected server responses. The memory leak can be observed by running the encryption function with the AddressSanitizer tool enabled, which will report the leaked memory after the function call.

Remediation

Users can upgrade to CryptoLib version 1.4.3 or later, where this vulnerability has been patched.