Test ID:	1.3.6.1.4.1.25623.1.0.170622
Category:	General
Title:	OpenSSL Incorrect Cipher Key & IV Length Processing Vulnerability (20231024) - Windows
Summary:	OpenSSL is prone to an incorrect processing of key and; initialisation vector (IV) lengths vulnerability.
Description:	Summary: OpenSSL is prone to an incorrect processing of key and initialisation vector (IV) lengths vulnerability. Vulnerability Insight: When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after the key and IV have been established. Any alterations to the key length, via the 'keylen' parameter or the IV length, via the 'ivlen' parameter, within the OSSL_PARAM array will not take effect as intended, potentially causing truncation or overreading of these values. The following ciphers and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB. Vulnerability Impact: A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. Affected Software/OS: OpenSSL version 3.0 and 3.1. Solution: Update to version 3.0.12, 3.1.4 or later. CVSS Score: 7.8 CVSS Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2023-5363 Debian Security Information: DSA-5532 (Google Search) https://www.debian.org/security/2023/dsa-5532 3.0.12 git commit https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d 3.1.4 git commit https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee OpenSSL Advisory https://www.openssl.org/news/secadv/20231024.txt http://www.openwall.com/lists/oss-security/2023/10/24/1
Copyright	Copyright (C) 2023 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.