OpenSSL AES-SIV and AES-GCM-SIV Modes Authentication Vulnerability Allowing Message Forgery

A vulnerability exists in OpenSSL's implementation of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) modes, where the authentication of Additional Authenticated Data (AAD) is mishandled when the ciphertext is empty. This flaw allows an attacker to forge messages with arbitrary AAD to the victim's application using these ciphers. The issue arises because, in the provider implementation, the authentication tag is only computed when decryption is performed with non-empty ciphertext. If AAD is supplied and `EVP_DecryptFinal_ex()` is called without first updating the ciphertext, the tag remains at its default value, all zeros. As a result, an attacker can exploit this by sending empty ciphertext, arbitrary AAD, and an all-zeros tag, which is accepted as valid authentication under any unknown key, in a single operation. This vulnerability affects OpenSSL versions 4.0, 3.6, 3.5, 3.4, and 3.0 (only in AES-SIV mode)

Impact

Exploitation of this vulnerability allows for the forgery of empty messages with arbitrary AAD, which are then accepted by the victim's application as genuine, potentially leading to unauthorized actions or responses based on the forged message.

Reproduction

To reproduce this vulnerability, an application must implement its own protocol that uses the OpenSSL EVP interface, and it must skip the ciphertext update when an empty ciphertext is received. The application can then call `EVP_DecryptFinal_ex()` with AAD attached, without first updating the ciphertext, which will result in the all-zeros tag being accepted as valid authentication.

Remediation

Users of OpenSSL 4.0 should upgrade to OpenSSL 4.0.1. Users of OpenSSL 3.6 should upgrade to OpenSSL 3.6.3. Users of OpenSSL 3.5 should upgrade to OpenSSL 3.5.7. Users of OpenSSL 3.4 should upgrade to OpenSSL 3.4.6. Users of OpenSSL 3.0 should upgrade to OpenSSL 3.0.21.