CVE-2023-1255 - AES-XTS Cipher Decryption Implementation Bug on 64-bit ARM Platform

In this post, we will be discussing the CVE-2023-1255 vulnerability that affects the Advanced Encryption Standard (AES) XTS mode cipher decryption implementation on 64-bit ARM platforms. The bug can cause the implementation to read past the input buffer, which in some cases, leads to a crash.

Impact Summary

The CVE-2023-1255 vulnerability has implications for applications that use the AES-XTS algorithm on the 64-bit ARM platform. The issue can cause these applications to crash under rare circumstances. Typically, the AES-XTS algorithm is employed for disk encryption purposes.

Details

Upon further examination of the AES-XTS cipher decryption implementation for the 64-bit ARM platform, we have discovered that it reads beyond the end of the ciphertext buffer when the ciphertext size is 4 mod 5 in 16-byte blocks (e.g., 144 bytes or 1024 bytes). Should the memory following the ciphertext buffer be unmapped, a crash will be triggered, resulting in a denial of service.

In situations where an attacker has control over the size and location of the ciphertext buffer being decrypted by an application that uses AES-XTS on a 64-bit ARM platform, such applications are deemed vulnerable. However, this situation is quite unlikely, and as a result, the severity of this issue is considered low.

A simple example to demonstrate the issue in C language can be viewed below

#include <openssl/evp.h>
#include <openssl/rand.h>
#include <string.h>

int main() {
  unsigned char key[AES_BLOCK_SIZE * 2];
  unsigned char iv[AES_BLOCK_SIZE * 2];
  unsigned char plaintext[1024];
  unsigned char ciphertext[1024 + AES_BLOCK_SIZE];
  int outlen;

  // Generate random key and IV
  RAND_bytes(key, sizeof(key));
  RAND_bytes(iv, sizeof(iv));

  // Encrypt data using AES-XTS
  EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
  EVP_EncryptInit_ex(ctx, EVP_aes_256_xts(), NULL, key, iv);
  EVP_EncryptUpdate(ctx, ciphertext, &outlen, plaintext, sizeof(plaintext));
  EVP_EncryptFinal_ex(ctx, ciphertext + outlen, &outlen);
  EVP_CIPHER_CTX_free(ctx);

  // Decrypt data using AES-XTS
  ctx = EVP_CIPHER_CTX_new();
  EVP_DecryptInit_ex(ctx, EVP_aes_256_xts(), NULL, key, iv);
  EVP_DecryptUpdate(ctx, plaintext, &outlen, ciphertext, sizeof(ciphertext));
  EVP_DecryptFinal_ex(ctx, plaintext + outlen, &outlen);
  EVP_CIPHER_CTX_free(ctx);

  return ;
}

Original References

- OpenSSL Security Advisory 26 Feb 2015
- CVE-2023-1255

Exploit Details

As mentioned earlier, to exploit this vulnerability, an attacker needs to be able to control the size and location of the ciphertext buffer being decrypted by the application. Given the low probability of this occurrence, the issue has been classified as a low-severity one.

In conclusion, although this vulnerability poses a minimal risk to most systems, it is important to be aware of its presence within the AES-XTS cipher decryption implementation for the 64-bit ARM platform. It is recommended to keep your system updated and patched to mitigate potential security risks.

Timeline

Published on: 04/20/2023 17:15:00 UTC
Last modified on: 05/02/2023 16:42:00 UTC