CryptX Stack Buffer Overflow Vulnerability in AEAD Decrypt Verify Helpers

A stack buffer overflow vulnerability has been identified in CryptX versions prior to 0.088_001 for Perl. The issue resides in four authenticated encryption with associated data (AEAD) decryption verification helpers: gcm_decrypt_verify, ccm_decrypt_verify, chacha20poly1305_decrypt_verify, and eax_decrypt_verify. These routines improperly handled the authentication tag by copying it into a fixed 144-byte stack buffer without validating the length of the supplied tag. This oversight allows a longer tag to overwrite adjacent stack memory, potentially leading to arbitrary code execution or other malicious outcomes. The vulnerability can be exploited by any caller of the affected helpers that sends an attacker-controlled tag exceeding the buffer size.

Impact

Exploitation of this vulnerability causes a stack buffer overflow, which can lead to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by calling one of the affected decryption verification helpers (gcm_decrypt_verify, ccm_decrypt_verify, chacha20poly1305_decrypt_verify, or eax_decrypt_verify) with an authentication tag that exceeds 144 bytes. This can be done by using a string of 'A's or similar to overflow the stack buffer.

Remediation

Users should upgrade to CryptX version 0.088_001 or later, where this vulnerability has been addressed.