OpenSSL: Stack buffer overflow in CMS AuthEnvelopedData parsing

OpenSSL: Stack buffer overflow in CMS AuthEnvelopedData parsing(openssl-library.org)

102 points by MagerValp 110 days ago | 47 comments

ofek 110 days ago |

I'd encourage folks to read the recently-published statement [1] about the state of OpenSSL from Python's cryptography project.

[1]: https://news.ycombinator.com/item?id=46624352

tptacek 110 days ago | |

We're recording a Security Cryptography & Whatever with them in an hour or so, if anyone's got questions they want us asking Alex and Paul.

True facts: Paul co-created Frinkiac.

snvzz 110 days ago | |

Instead of everybody switching to LibreSSL, we had the Linux Foundation reward OpenSSL's incompetence with funding.

We are still suffering from that mistake, and LibreSSL is well-maintained and easier to migrate to than it ever was.

What the hell are we waiting for?

Is nobody at Debian, Fedora or Ubuntu able to step forward and set the direction?

seg_lol 109 days ago | | |

How about standardizing on an API, then switching backends can be up to the administrator of the machine.

chc4 110 days ago |

2026 and we still have bugs from copying unbounded user input into fixed size stack buffers in security critical code. Oh well, maybe we'll fix it in the next 30 years instead.

pjmlp 110 days ago | |

I recall Hoare,

"A consequence of this principle is that every occurrence of every subscript of every subscripted variable was on every occasion checked at run time against both the upper and the lower declared bounds of the array. Many years later we asked our customers whether they wished us to provide an option to switch off these checks in the interests of efficiency on production runs. Unanimously, they urged us not to they already knew how frequently subscript errors occur on production runs where failure to detect them could be disastrous. I note with fear and horror that even in 1980 language designers and users have not learned this lesson. In any respectable branch of engineering, failure to observe such elementary precautions would have long been against the law."

-- C.A.R Hoare's "The 1980 ACM Turing Award Lecture"

Guess what 1980's language he is referring to.

Then in 1988,

https://en.wikipedia.org/wiki/Morris_worm

It has been 46 years since the speech, and 38 since the Morris worm.

How many related improvements have been tackled by WG14?

seg_lol 109 days ago | | |

Humans are horribly unserious, yet extremely unfunny at the same time. What gives?

pseudohadamard 110 days ago | |

I particularly like the FIPS bit:

>The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.

"I hereby define the vulnerability to be outside the bit that I define to be secure, therefore we're not vulnerable".

nly 110 days ago | |

The bug isn't actually the copy but the bounds check.

If you had a dynamically sized heap allocated buffer as the destination you'd still have a denial of service attack, no matter what language was used.

tialaramex 110 days ago | | |

The actual vulnerability is indeed the copy. What we used to do is this:

1. Find out how big this data is, we tell the ASN.1 code how big it's allowed to be, but since we're not storing it anywhere those tests don't matter

2. Check we found at least some data, zero isn't OK, failure isn't OK, but too big is fine

3. Copy the too big data onto a local buffer

The API design is typical of C and has the effect of encouraging this mistake

    int ossl_asn1_type_get_octetstring_int(const ASN1_TYPE *a, long *num, unsigned char *data, int max_len)

That "int" we're returning is either -1 or the claimed length of the ASN.1 data without regard to how long that is or whether it makes sense.

This encourages people to either forget the return value entirely (it's just some integer, who cares, in the happy path this works) or check it for -1 which indicates some fatal ASN.1 layer problem, give up, but ignore other values.

If the thing you got back from your function was a Result type you'd know that this wasn't OK, because it isn't OK. But the "Eh, everything is an integer" model popular in C discourages such sensible choices because they were harder to implement decades ago.

JohnLeitch 110 days ago | | |

Assuming you're talking about a heap buffer overrun, it's still possible to exploit for EoP in some cases.

wat10000 110 days ago | | |

A denial of service attack is a million times better than an RCE attack.

rvz 110 days ago | |

2026 and why not vibe code our own cryptography library just like we are vibing lots of sandbox solutions? /s

pixl97 110 days ago | | |

It's 2023, why not use Rustls.

It's 2014, why not use LibreSSL.

You don't have to bring up AI, everyone just needs to leave OpenSSL to die.

TacticalCoder 110 days ago | | |

> 2026 and why not vibe code our own cryptography library just like we are vibing lots of sandbox solutions? /s

And make sure to make it a hybrid of PHP and JavaScript /s

selckin 110 days ago |

Can someone translate

"Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable"

to human?

tptacek 110 days ago | |

PKCS7 is a container format that pops up in a couple places in the TLS ecosystem (also in code signing); anywhere you need a secure blob that includes metadata. It's a very widely used format.

AEAD ciphers are those that simultaneously encrypt and authenticate data. AES-GCM is the most popular; Chapoly is the 2nd most popular. AEAD ciphers are how modern programs do encryption.

AEAD ciphers all rely on additional parameters, most commonly a nonce; it's critical to security that the nonce only ever be used once with a given key. You need the nonce to decrypt the AEAD ciphertext, so it's usually tacked on to the message (in more clever formats you can derive it contextually, but PKCS7 is a general-purpose format).

In parsing PKCS7 messages, when OpenSSL comes across AEAD-encrypted blobs, it needs to parse out the nonce. AEAD nonces tend to have fixed sizes, but there are extended-nonce variants of AEADs, and the format allows for arbitrary-sized values. OpenSSL assumed a fixed nonce size, but parsed with a library that handled arbitrary-sized values. Stack overflow.

A maliciously formatted Authenticode signature, certificate chain, OCSP response (I think?), all things that could trigger the bug.

pizlonator 110 days ago |

I just looked at the vuln in detail.

If you are using OpenSSL compiled with Fil-C, then you're safe. This attack will be nothing more than a denial of service (the attacker won't get to actually clobber the stack, or heap, or anything).

TacticalCoder 110 days ago |

Very strange, as I type this both Bullseye and Bookworm are marked as fixed but Trixie isn't yet:

https://security-tracker.debian.org/tracker/CVE-2025-11187

kroeckx 110 days ago | |

The correct URL is https://security-tracker.debian.org/tracker/CVE-2025-15467

You're pointing to one of the other security issues for which a fix was released today.

TacticalCoder 110 days ago | | |

TYVM for the proper URL kind sir!

Sesse__ 110 days ago | |

bullseye and bookworm have too old versions to be vulnerable, it seems.

TacticalCoder 110 days ago | | |

Oh that's interesting: it indeeds shows "not affected" in the second table on the link I pasted but before that on the first table it says "Status // Fixed / Fixed".

I never paid attention to the fact that one table had "Fixed" and the other "Not affected" for the same "Not affected" package.

alanfranz 110 days ago |

Is this really exploitable? Is stack smashing really still a thing on any modern platform?

alanfranz 110 days ago | |

I’ll answer to myself: an RCE is very unlikely on any modern platform. DoS is possible.

“ Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution.”

From: https://openssl-library.org/news/secadv/20260127.txt

b1temy 110 days ago | | |

The link in the HN submission contains the same text and excerpt from your link.

Additionally they note: -

"While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk."

IMO, probably in of itself, this alone is not able to do much besides maybe a crash / Denial of Service on modern systems. But it might be able to be used as part of a more advanced exploit chain, alongside other vulnerabilities, to potentially reach remote code execution, though this would be a much more sophisticated exploit and is maybe a bit of a reach. Still, I hesitate to call it impossible on modern systems due to the creativity of exploit developers.

woodruffw 110 days ago | | |

"Modern platform" is doing a lot of lifting; CMS and PKCS#7 rear their heads in all kinds of random places, like encryption/signing of OTA updates for routers. Those platforms are often (unreasonably) 10-20 years behind the norm for compile-time mitigations.

chc4 110 days ago | |

OpenSSL is used by approximately everything under the sun. Some of those users will be vendors that use default compiler flags without stack cookies. A lot of IoT devices for example still don't have stack cookies for any of their software.

MajesticHobo2 110 days ago | |

Yes, but it would likely have to be chained with other bugs - at minimum, something that gives you an info leak.

JohnLeitch 110 days ago | |

It depends on what mitigations are in place and the arrangement of the stack. Even with stack canaries, having an unfortunate value on the stack e.g. a function pointer can still be quite dangerous if it can be overwritten without hitting any of the stack canaries.

buckle8017 110 days ago | |

That depends on how aggressively the service is restarted.

notherhack 110 days ago |

Looks like Debian and some other distros are still on the vulnerable 3.5.4. Why did Openssl publish before the distros rolled to the fixed version?

samueloph 110 days ago | |

This was patched on time: https://tracker.debian.org/news/1710762/accepted-openssl-354...

1over137 110 days ago |

Has anyone built OpenSSL with -fbounds-safety?

jeffbee 110 days ago |

Another "fix" in the long line of OpenSSL "fixes" that includes no changes to tests and therefore can't really be said to fix anything. Professional standards of software development are simply absent in the project, and apparently it cannot be reformed, because we've all been waiting a long time for OpenSSL to get its act together.

kroeckx 110 days ago | |

A test was added in this commit: https://github.com/openssl/openssl/commit/6297ac45d72ded9b45...

burnt-resistor 110 days ago | |

OpenSSL and other similar security substandard projects have process deficiencies that lead to similar bugs over and over again. They never seem to learn the lesson that doing the same thing and expecting a different result is stupidity and/or insanity.

m00dy 110 days ago |

Please use Rust.

johnisgood 109 days ago | |

Please use Ada / SPARK.