FortiClient Vulnerability

OpenSSL CVE-2019-1543 Weak Encryption Vulnerability

Description

Severity: LowChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for everyencryption operation. RFC 7539 specifies that the nonce value (IV) should be 96bits (12 bytes). OpenSSL allows a variable nonce length and front pads the noncewith 0 bytes if it is less than 12 bytes. However it also incorrectly allows anonce to be set of up to 16 bytes. In this case only the last 12 bytes aresignificant and any additional leading bytes are ignored.It is a requirement of using this cipher that nonce values are unique. Messagesencrypted using a reused nonce value are susceptible to serious confidentialityand integrity attacks. If an application changes the default nonce length to belonger than 12 bytes and then makes a change to the leading bytes of the nonceexpecting the new value to be a new unique nonce then such an application couldinadvertently encrypt messages with a reused nonce.Additionally the ignored bytes in a long nonce are not covered by the integrityguarantee of this cipher. Any application that relies on the integrity of theseignored leading bytes of a long nonce may be further affected.Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe becauseno such use sets such a long nonce value. However user applications that usethis cipher directly and set a non-default nonce length to be longer than 12bytes may be vulnerable.OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limitedscope of affected deployments this has been assessed as low severity andtherefore we are not creating new releases at this time. The 1.1.1 mitigationfor this issue can be found in commit f426625b6a. The 1.1.0 mitigation for thisissue can be found in commit ee22257b14.This issue does not impact OpenSSL 1.0.2.This issue was discovered by Joran Dirk Greef of Ronomon. The fix was developedby Matt Caswell from the OpenSSL development team. It was reported to OpenSSL on26th February 2019.NoteOpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Supportfor 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11thSeptember 2019. Users of these versions should upgrade to OpenSSL 1.1.1.ReferencesURL for this Security Advisory:https://www.openssl.org/news/secadv/20190306.txtNote: the online version of the advisory may be updated with additional detailsover time.For details of OpenSSL severity classifications please see:https://www.openssl.org/policies/secpolicy.html