OpenSSL CMS and PKCS7 Decryption Bleichenbacher Oracle Vulnerability

A vulnerability exists in the OpenSSL library's CMS_decrypt and PKCS7_decrypt functions, allowing for a Bleichenbacher-style attack. This issue arises when an attacker can provide CMS or S/MIME messages and observe the resulting error codes or decryption outputs. The vulnerability is present in OpenSSL versions 4.0, 3.6, 3.5, and 3.4, but not in the FIPS modules of these versions. The attack exploits the RSA PKCS#1 v1.5 Key Transport mechanism, enabling an attacker to decrypt or sign messages using the victim's private RSA key.

Impact

Exploitation of this vulnerability allows an attacker to use the victim's application to decrypt RSA ciphertext or forge PKCS#1 v1.5 signatures under the victim's key.

Reproduction

The vulnerability can be reproduced by using the decryption APIs (CMS_decrypt() or PKCS7_decrypt()) without providing the recipient certificate. OpenSSL will then iterate over all KeyTransRecipientInfo entries. An attacker can craft a message with two KTRI entries: one wrapping a real content encryption key (CEK) under the victim's public key, and the other with an arbitrary probe ciphertext. By observing the application's error code and decryption output, the attacker can determine if the probe ciphertext was successfully decrypted, thereby creating a Bleichenbacher oracle. Alternatively, if the decryption API is used with a recipient certificate that is not found, a random key is substituted, allowing for a similar comparison of error codes and decryption results to mount the attack.

Remediation

Users of OpenSSL 4.0 should upgrade to OpenSSL 4.0.1, those on OpenSSL 3.6 should upgrade to OpenSSL 3.6.3, OpenSSL 3.5 users should upgrade to OpenSSL 3.5.7, and OpenSSL 3.4 users should upgrade to OpenSSL 3.4.6. Instructions for downloading these versions can be found on the OpenSSL website.