#VU80565 Input validation error in OpenSSL - CVE-2023-4807


| Updated: 2024-07-03

Vulnerability identifier: #VU80565

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-4807

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the POLY1305 MAC (message authentication code) implementation. A remote attacker can send specially crafted input to the application and corrupt MM registers on Windows 64 platform, resulting in a denial of service condition.

Mitigation
Install update from vendor's website.

Vulnerable software versions

OpenSSL: 1.1.1r - 1.1.1p, 3.0.0 - 3.0.10, 3.1.0 - 3.1.2

External links
https://www.openssl.org/news/secadv/20230908.txt
https://github.com/openssl/openssl/releases/tag/OpenSSL_1_1_1w

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell PowerProtect Data Manager
Multiple vulnerabilities in IBM Db2 Query Management Facility
Multiple vulnerabilities in IBM QRadar SIEM
Multiple vulnerabilities in IBM Maximo Application Suite - Manage Component
Multiple vulnerabilities in IBM Control Center
Multiple vulnerabilities in IBM Storage Ceph
Multiple vulnerabilities in IBM Cloud Transformation Advisor
Denial of service in Mitsubishi Electric MELSOFT MaiLab
Junos OS Evolved update for OpenSSL
Multiple vulnerabilities in ICONICS Products