OpenSSL RSASVE Key Encapsulation Vulnerability Leading to Sensitive Data Leakage

A vulnerability exists in OpenSSL's RSASVE key encapsulation method, allowing applications to inadvertently send uninitialized memory buffer contents to a malicious peer. This issue arises because the RSA_public_encrypt() function, which is supposed to encrypt data, can fail without proper error handling. When this happens, the key encapsulation method may still report success, leaving the buffer with potentially sensitive data from previous application executions available to the attacker. This vulnerability affects OpenSSL versions 3.6, 3.5, 3.4, 3.3, 3.1, and 3.0, while versions 1.0.2 and 1.1.1 are not affected.

Impact

Exploitation of this vulnerability can lead to the unauthorized disclosure of sensitive data from the application's memory to an attacker.

Reproduction

To reproduce this vulnerability, use OpenSSL's RSASVE key encapsulation with an invalid RSA public key that has not been validated. The uninitialized buffer will then be populated with stale data and sent to the attacker instead of the correct KEM ciphertext.

Remediation

Users of OpenSSL 3.0 should upgrade to version 3.0.20, those on 3.3 should upgrade to 3.3.7, users of 3.4 should upgrade to 3.4.5, and those on 3.5 should upgrade to 3.5.6. OpenSSL 3.6 users should upgrade to 3.6.2.