Find, fix and prevent vulnerabilities in your code.

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS). The POLY1305 MAC (message authentication code) implementation might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting AVX512-IFMA instructions. If an attacker can influence whether the POLY1305 MAC algorithm is used in an application, the application state might be corrupted with various application dependent consequences, the most likely of which being denial of service. The maintainers are currently not aware of any concrete application that would be affected by this issue.

NOTES:

This vulnerability is only exploitable on Windows.

The FIPS provider is not affected by this issue.

Workaround

Disable AVX512-IFMA instructions by setting the environment variable OPENSSL_ia32cap: OPENSSL_ia32cap=:~0x200000

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade cryptography to version 41.0.4 or higher.

References

• Github Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• RedHat Bugzilla Bug
• Vulnerability Advisory

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS) when processing specially crafted ASN.1 objects identifiers. Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a exploitation of this vulnerability.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade cryptography to version 41.0.0 or higher.

References

• GitHub Commit
• GitHub Commit
• RedHat Bugzilla Bug
• Security Advisory

Overview

Affected versions of this package are vulnerable to NULL Pointer Dereference when loading PKCS7 certificates. An attacker can cause a Denial of Service (DoS) by attempting to deserialize a PKCS7 blob/certificate.

Note:

This is only exploitable if the load_pem_pkcs7_certificates or load_der_pkcs7_certificates functions are called.

PoC

from cryptography.hazmat.primitives.serialization.pkcs7 import load_der_pkcs7_certificates, load_pem_pkcs7_certificates

pem_p7 = b"""
-----BEGIN PKCS7-----
MAsGCSqGSIb3DQEHAg==
-----END PKCS7-----
"""

der_p7 = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"

load_pem_pkcs7_certificates(pem_p7)
load_der_pkcs7_certificates(der_p7)

Remediation

Upgrade cryptography to version 41.0.6 or higher.

References

• GitHub Commit

Overview

Affected versions of this package are vulnerable to NULL Pointer Dereference in the pkcs12.serialize_key_and_certificates function. An attacker can crash the Python process.

Note: This is only exploitable if the vulnerable function is called with both:

1. A certificate whose public key does not match the provided private key.

2. An encryption_algorithm with hmac_hash set via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...).

Remediation

Upgrade cryptography to version 42.0.4 or higher.

References

• GitHub Commit
• GitHub PR

Overview

Affected versions of this package are vulnerable to Resource Exhaustion via the EVP_PKEY_public_check function. When the function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An attacker can cause a denial of service by supplying a specially crafted RSA key that triggers extensive computation.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade cryptography to version 42.0.2 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• OpenSSL Advisory
• RedHat Bugzilla Bug

Overview

Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to an issue in the POLY1305 MAC implementation on PowerPC CPUs. An attacker can corrupt the application state and cause incorrect calculations or potential denial of service by influencing the use of the POLY1305 MAC algorithm.

Note:

This is only exploitable if the attacker has the ability to affect the algorithm's usage and the application relies on non-volatile XMM registers.

Remediation

Upgrade cryptography to version 42.0.2 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• OpenSSL Advisory
• RedHat Bugzilla Bug

Overview

Affected versions of this package are vulnerable to NULL Pointer Dereference when processing a maliciously formatted PKCS12 file. The vulnerability exists due to improper handling of optional ContentInfo fields, which can be set to null. An attacker can cause a denial of service by sending crafted input that leads to applications loading files in PKCS12 format from untrusted sources to terminate abruptly.

Remediation

Upgrade cryptography to version 42.0.2 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub PR
• OpenSSL Advisory

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS) in the DH_check(), DH_check_ex() and EVP_PKEY_param_check() functions, which are used to check a DH key or DH parameters.

When the key or parameters that are being checked contain an excessively large modulus value (the p parameter) this may cause slowness in processing. Some checks use the supplied modulus value even if it has already been found to be too large.

The OpenSSL dhparam and pkeyparam command line applications are also vulnerable, when using the -check option.

NOTE: The OpenSSL SSL/TLS implementation is not affected by this issue.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade cryptography to version 41.0.3 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• RedHat Bugzilla Bug
• Vulnerability Advisory

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS) when the DH_generate_key(), DH_check_pub_key(), DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate() functions are used. An attacker can cause long delays and potentially a Denial of Service by supplying excessively long X9.42 DH keys or parameters obtained from an untrusted source.

Note:

This is only exploitable if the application uses these functions to generate or check an X9.42 DH key or parameters. Also, the OpenSSL pkey command line application, when using the -pubcheck option, as well as the OpenSSL genpkey command line application, are vulnerable to this issue.

Remediation

Upgrade cryptography to version 42.0.0 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• RedHat Bugzilla Bug
• Security Advisory

Overview

Affected versions of this package are vulnerable to Missing Cryptographic Step when the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() functions are used. An attacker can cause truncation or overreading of key and initialization vector (IV) lengths by altering the "keylen" or "ivlen" parameters within the OSSL_PARAM array after the key and IV have been established. This can lead to potential truncation or overruns during the initialization of some symmetric ciphers, such as RC2, RC4, RC5, CCM, GCM, and OCB. A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes.

Both truncations and overruns of the key and the IV will produce incorrect results and could, in some cases, trigger a memory exception.

Remediation

Upgrade cryptography to version 41.0.5 or higher.

References

• GitHub Commit
• GitHub Commit
• Security Advisory