OpenSSL CMS AuthEnvelopedData Processing May Accept Forged Messages

A vulnerability exists in OpenSSL's Cryptographic Message Services (CMS) processing, specifically within AuthEnvelopedData containers. The issue arises from inadequate input validation on the cipher and tag length fields, potentially leading to various compromises. This vulnerability is present in OpenSSL versions 4.0, 3.6, 3.5, 3.4, and 3.0. When an attacker sends a CMS message with AuthEnvelopedData using a non-AEAD cipher, OpenSSL incorrectly allows this and attempts to decrypt and validate the message. This could enable an on-path attacker to manipulate the decryption process, bypassing integrity checks and gaining key-equivalent functionality for the content-encryption key (CEK) used in the transaction.

Impact

Exploitation of this vulnerability could allow an attacker to bypass integrity validation for a given message or achieve key-equivalent functionality for a CMS recipient, potentially leading to unauthorized decryption or manipulation of encrypted content.

Reproduction

To reproduce this vulnerability, send a CMS message containing AuthEnvelopedData with a non-AEAD cipher specified. OpenSSL will accept the message and attempt to decrypt it, creating an opportunity to bypass integrity checks and manipulate the decryption process.

Remediation

Users of OpenSSL 4.0 should upgrade to OpenSSL 4.0.1. Users of OpenSSL 3.6 should upgrade to OpenSSL 3.6.3. Users of OpenSSL 3.5 should upgrade to OpenSSL 3.5.7. Users of OpenSSL 3.4 should upgrade to OpenSSL 3.4.6. Users of OpenSSL 3.0 should upgrade to OpenSSL 3.0.21.