Endpoint Vulnerability

0-byte record padding oracle


Severity: ModerateIf an application encounters a fatal protocol error and then callsSSL_shutdown() twice (once to send a close_notify, and once to receive one) thenOpenSSL can respond differently to the calling application if a 0 byte record isreceived with invalid padding compared to if a 0 byte record is received with aninvalid MAC. If the application then behaves differently based on that in a waythat is detectable to the remote peer, then this amounts to a padding oraclethat could be used to decrypt data.In order for this to be exploitable 'non-stitched' ciphersuites must be in use.Stitched ciphersuites are optimised implementations of certain commonly usedciphersuites. Also the application must call SSL_shutdown() twice even if aprotocol error has occurred (applications should not do this but some doanyway). AEAD ciphersuites are not impacted.This issue does not impact OpenSSL 1.1.1 or 1.1.0.OpenSSL 1.0.2 users should upgrade to 1.0.2r.This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod Aviram,with additional investigation by Steven Collison and Andrew Hourselt. It wasreported to OpenSSL on 10th December 2018.Note: Advisory updated to make it clearer that AEAD ciphersuites are not impacted.NoteOpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Supportfor 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11thSeptember 2019. Users of these versions should upgrade to OpenSSL 1.1.1.ReferencesURL for this Security Advisory:https://www.openssl.org/news/secadv/20190226.txtNote: the online version of the advisory may be updated with additional detailsover time.For details of OpenSSL severity classifications please see:https://www.openssl.org/policies/secpolicy.html

Affected Products