CVE-2023-4807 (GCVE-0-2023-4807)

Vulnerability from cvelistv5 – Published: 2023-09-08 11:01 – Updated: 2025-08-27 20:42
VLAI
Title
POLY1305 MAC implementation corrupts XMM registers on Windows
Summary
Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions. Impact summary: If in an application that uses the OpenSSL library an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL does not save the contents of non-volatile XMM registers on Windows 64 platform when calculating the MAC of data larger than 64 bytes. Before returning to the caller all the XMM registers are set to zero rather than restoring their previous content. The vulnerable code is used only on newer x86_64 processors supporting the AVX512-IFMA instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However given the contents of the registers are just zeroized so the attacker cannot put arbitrary values inside, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3 and a malicious client can influence whether this AEAD cipher is used by the server. This implies that server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue. As a workaround the AVX512-IFMA instructions support can be disabled at runtime by setting the environment variable OPENSSL_ia32cap: OPENSSL_ia32cap=:~0x200000 The FIPS provider is not affected by this issue.
Severity
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-440 - Expected Behavior Violation
Assigner
References
Impacted products
Vendor Product Version
OpenSSL OpenSSL Affected: 3.1.0 , < 3.1.3 (semver)
Affected: 3.0.0 , < 3.0.11 (semver)
Affected: 1.1.1 , < 1.1.1w (custom)
Create a notification for this product.
Date Public
2023-09-08 00:00
Credits
Zach Wilson Bernd Edlinger
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:38:00.793Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "OpenSSL Advisory",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.openssl.org/news/secadv/20230908.txt"
          },
          {
            "name": "3.1.3 git commit",
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4bfac4471f53c4f74c8d81020beb938f92d84ca5"
          },
          {
            "name": "3.0.11 git commit",
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6754de4a121ec7f261b16723180df6592cbb4508"
          },
          {
            "name": "1.1.1w git commit",
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a632d534c73eeb3e3db8c7540d811194ef7c79ff"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20230921-0001/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-4807",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T13:27:06.574022Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-27T20:42:52.433Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "OpenSSL",
          "vendor": "OpenSSL",
          "versions": [
            {
              "lessThan": "3.1.3",
              "status": "affected",
              "version": "3.1.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.0.11",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.1.1w",
              "status": "affected",
              "version": "1.1.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Zach Wilson"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Bernd Edlinger"
        }
      ],
      "datePublic": "2023-09-08T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Issue summary: The POLY1305 MAC (message authentication code) implementation\u003cbr\u003econtains a bug that might corrupt the internal state of applications on the\u003cbr\u003eWindows 64 platform when running on newer X86_64 processors supporting the\u003cbr\u003eAVX512-IFMA instructions.\u003cbr\u003e\u003cbr\u003eImpact summary: If in an application that uses the OpenSSL library an attacker\u003cbr\u003ecan influence whether the POLY1305 MAC algorithm is used, the application\u003cbr\u003estate might be corrupted with various application dependent consequences.\u003cbr\u003e\u003cbr\u003eThe POLY1305 MAC (message authentication code) implementation in OpenSSL does\u003cbr\u003enot save the contents of non-volatile XMM registers on Windows 64 platform\u003cbr\u003ewhen calculating the MAC of data larger than 64 bytes. Before returning to\u003cbr\u003ethe caller all the XMM registers are set to zero rather than restoring their\u003cbr\u003eprevious content. The vulnerable code is used only on newer x86_64 processors\u003cbr\u003esupporting the AVX512-IFMA instructions.\u003cbr\u003e\u003cbr\u003eThe consequences of this kind of internal application state corruption can\u003cbr\u003ebe various - from no consequences, if the calling application does not\u003cbr\u003edepend on the contents of non-volatile XMM registers at all, to the worst\u003cbr\u003econsequences, where the attacker could get complete control of the application\u003cbr\u003eprocess. However given the contents of the registers are just zeroized so\u003cbr\u003ethe attacker cannot put arbitrary values inside, the most likely consequence,\u003cbr\u003eif any, would be an incorrect result of some application dependent\u003cbr\u003ecalculations or a crash leading to a denial of service.\u003cbr\u003e\u003cbr\u003eThe POLY1305 MAC algorithm is most frequently used as part of the\u003cbr\u003eCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\u003cbr\u003ealgorithm. The most common usage of this AEAD cipher is with TLS protocol\u003cbr\u003eversions 1.2 and 1.3 and a malicious client can influence whether this AEAD\u003cbr\u003ecipher is used by the server. This implies that server applications using\u003cbr\u003eOpenSSL can be potentially impacted. However we are currently not aware of\u003cbr\u003eany concrete application that would be affected by this issue therefore we\u003cbr\u003econsider this a Low severity security issue.\u003cbr\u003e\u003cbr\u003eAs a workaround the AVX512-IFMA instructions support can be disabled at\u003cbr\u003eruntime by setting the environment variable OPENSSL_ia32cap:\u003cbr\u003e\u003cbr\u003e   OPENSSL_ia32cap=:~0x200000\u003cbr\u003e\u003cbr\u003eThe FIPS provider is not affected by this issue."
            }
          ],
          "value": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications on the\nWindows 64 platform when running on newer X86_64 processors supporting the\nAVX512-IFMA instructions.\n\nImpact summary: If in an application that uses the OpenSSL library an attacker\ncan influence whether the POLY1305 MAC algorithm is used, the application\nstate might be corrupted with various application dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL does\nnot save the contents of non-volatile XMM registers on Windows 64 platform\nwhen calculating the MAC of data larger than 64 bytes. Before returning to\nthe caller all the XMM registers are set to zero rather than restoring their\nprevious content. The vulnerable code is used only on newer x86_64 processors\nsupporting the AVX512-IFMA instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However given the contents of the registers are just zeroized so\nthe attacker cannot put arbitrary values inside, the most likely consequence,\nif any, would be an incorrect result of some application dependent\ncalculations or a crash leading to a denial of service.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3 and a malicious client can influence whether this AEAD\ncipher is used by the server. This implies that server applications using\nOpenSSL can be potentially impacted. However we are currently not aware of\nany concrete application that would be affected by this issue therefore we\nconsider this a Low severity security issue.\n\nAs a workaround the AVX512-IFMA instructions support can be disabled at\nruntime by setting the environment variable OPENSSL_ia32cap:\n\n   OPENSSL_ia32cap=:~0x200000\n\nThe FIPS provider is not affected by this issue."
        }
      ],
      "metrics": [
        {
          "format": "other",
          "other": {
            "content": {
              "text": "Low"
            },
            "type": "https://www.openssl.org/policies/secpolicy.html"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-440",
              "description": "CWE-440 Expected Behavior Violation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-14T14:55:50.502Z",
        "orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
        "shortName": "openssl"
      },
      "references": [
        {
          "name": "OpenSSL Advisory",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.openssl.org/news/secadv/20230908.txt"
        },
        {
          "name": "3.1.3 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4bfac4471f53c4f74c8d81020beb938f92d84ca5"
        },
        {
          "name": "3.0.11 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6754de4a121ec7f261b16723180df6592cbb4508"
        },
        {
          "name": "1.1.1w git commit",
          "tags": [
            "patch"
          ],
          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a632d534c73eeb3e3db8c7540d811194ef7c79ff"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "POLY1305 MAC implementation corrupts XMM registers on Windows",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
    "assignerShortName": "openssl",
    "cveId": "CVE-2023-4807",
    "datePublished": "2023-09-08T11:01:53.663Z",
    "dateReserved": "2023-09-06T16:32:29.871Z",
    "dateUpdated": "2025-08-27T20:42:52.433Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2023-4807",
      "date": "2026-06-08",
      "epss": "0.00675",
      "percentile": "0.71858"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.1.1\", \"versionEndExcluding\": \"1.1.1w\", \"matchCriteriaId\": \"AE28C377-98B8-48F3-9869-A5085F95D22C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"3.0.0\", \"versionEndExcluding\": \"3.0.11\", \"matchCriteriaId\": \"F9CA5322-712C-46EC-85D4-82BBCD86A370\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"3.1.0\", \"versionEndExcluding\": \"3.1.3\", \"matchCriteriaId\": \"8CD493DA-9CA9-4D3C-A2C0-BE0A06D7E265\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Issue summary: The POLY1305 MAC (message authentication code) implementation\\ncontains a bug that might corrupt the internal state of applications on the\\nWindows 64 platform when running on newer X86_64 processors supporting the\\nAVX512-IFMA instructions.\\n\\nImpact summary: If in an application that uses the OpenSSL library an attacker\\ncan influence whether the POLY1305 MAC algorithm is used, the application\\nstate might be corrupted with various application dependent consequences.\\n\\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL does\\nnot save the contents of non-volatile XMM registers on Windows 64 platform\\nwhen calculating the MAC of data larger than 64 bytes. Before returning to\\nthe caller all the XMM registers are set to zero rather than restoring their\\nprevious content. The vulnerable code is used only on newer x86_64 processors\\nsupporting the AVX512-IFMA instructions.\\n\\nThe consequences of this kind of internal application state corruption can\\nbe various - from no consequences, if the calling application does not\\ndepend on the contents of non-volatile XMM registers at all, to the worst\\nconsequences, where the attacker could get complete control of the application\\nprocess. However given the contents of the registers are just zeroized so\\nthe attacker cannot put arbitrary values inside, the most likely consequence,\\nif any, would be an incorrect result of some application dependent\\ncalculations or a crash leading to a denial of service.\\n\\nThe POLY1305 MAC algorithm is most frequently used as part of the\\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\\nversions 1.2 and 1.3 and a malicious client can influence whether this AEAD\\ncipher is used by the server. This implies that server applications using\\nOpenSSL can be potentially impacted. However we are currently not aware of\\nany concrete application that would be affected by this issue therefore we\\nconsider this a Low severity security issue.\\n\\nAs a workaround the AVX512-IFMA instructions support can be disabled at\\nruntime by setting the environment variable OPENSSL_ia32cap:\\n\\n   OPENSSL_ia32cap=:~0x200000\\n\\nThe FIPS provider is not affected by this issue.\"}, {\"lang\": \"es\", \"value\": \"Resumen del problema: la implementaci\\u00f3n POLY1305 MAC (c\\u00f3digo de autenticaci\\u00f3n de mensajes) contiene un error que podr\\u00eda da\\u00f1ar el estado interno de las aplicaciones en la plataforma Windows 64 cuando se ejecutan en procesadores X86_64 m\\u00e1s nuevos que admiten las instrucciones AVX512-IFMA. Resumen del impacto: si en una aplicaci\\u00f3n que usa la librer\\u00eda OpenSSL un atacante puede influir en si se usa el algoritmo MAC POLY1305, el estado de la aplicaci\\u00f3n podr\\u00eda corromperse con varias consecuencias dependientes de la aplicaci\\u00f3n. La implementaci\\u00f3n POLY1305 MAC (c\\u00f3digo de autenticaci\\u00f3n de mensajes) en OpenSSL no guarda el contenido de los registros XMM no vol\\u00e1tiles en la plataforma Windows 64 al calcular la MAC de datos de m\\u00e1s de 64 bytes. Antes de regresar a la persona que llama, todos los registros XMM se establecen en cero en lugar de restaurar su contenido anterior. El c\\u00f3digo vulnerable se utiliza s\\u00f3lo en procesadores x86_64 m\\u00e1s nuevos que admiten las instrucciones AVX512-IFMA. Las consecuencias de este tipo de corrupci\\u00f3n del estado de la aplicaci\\u00f3n interna pueden ser diversas: desde ninguna consecuencia, si la aplicaci\\u00f3n que llama no depende en absoluto del contenido de los registros XMM no vol\\u00e1tiles, hasta las peores consecuencias, donde el atacante podr\\u00eda obtener el control total de el proceso de solicitud. Sin embargo, dado que el contenido de los registros simplemente se pone a cero para que el atacante no pueda colocar valores arbitrarios en su interior, la consecuencia m\\u00e1s probable, si la hubiera, ser\\u00eda un resultado incorrecto de algunos c\\u00e1lculos dependientes de la aplicaci\\u00f3n o una falla que provocar\\u00eda una denegaci\\u00f3n de servicio. El algoritmo POLY1305 MAC se utiliza con mayor frecuencia como parte del algoritmo CHACHA20-POLY1305 AEAD (cifrado autenticado con datos asociados). El uso m\\u00e1s com\\u00fan de este cifrado AEAD es con las versiones 1.2 y 1.3 del protocolo TLS y un cliente malicioso puede influir en si el servidor utiliza este cifrado AEAD. Esto implica que las aplicaciones de servidor que utilizan OpenSSL pueden verse potencialmente afectadas. Sin embargo, actualmente no conocemos ninguna aplicaci\\u00f3n concreta que pueda verse afectada por este problema, por lo que lo consideramos un problema de seguridad de gravedad Baja. Como workaround, el soporte de instrucciones AVX512-IFMA se puede desactivar en tiempo de ejecuci\\u00f3n configurando la variable de entorno OPENSSL_ia32cap: OPENSSL_ia32cap=:~0x200000 El proveedor FIPS no se ve afectado por este problema.\"}]",
      "id": "CVE-2023-4807",
      "lastModified": "2024-11-21T08:36:00.613",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}]}",
      "published": "2023-09-08T12:15:08.043",
      "references": "[{\"url\": \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4bfac4471f53c4f74c8d81020beb938f92d84ca5\", \"source\": \"openssl-security@openssl.org\", \"tags\": [\"Mailing List\", \"Patch\"]}, {\"url\": \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6754de4a121ec7f261b16723180df6592cbb4508\", \"source\": \"openssl-security@openssl.org\", \"tags\": [\"Mailing List\", \"Patch\"]}, {\"url\": \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a632d534c73eeb3e3db8c7540d811194ef7c79ff\", \"source\": \"openssl-security@openssl.org\", \"tags\": [\"Mailing List\", \"Patch\"]}, {\"url\": \"https://www.openssl.org/news/secadv/20230908.txt\", \"source\": \"openssl-security@openssl.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4bfac4471f53c4f74c8d81020beb938f92d84ca5\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Patch\"]}, {\"url\": \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6754de4a121ec7f261b16723180df6592cbb4508\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Patch\"]}, {\"url\": \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a632d534c73eeb3e3db8c7540d811194ef7c79ff\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Patch\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20230921-0001/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.openssl.org/news/secadv/20230908.txt\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "openssl-security@openssl.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"openssl-security@openssl.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-440\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-4807\",\"sourceIdentifier\":\"openssl-security@openssl.org\",\"published\":\"2023-09-08T12:15:08.043\",\"lastModified\":\"2025-04-23T17:16:47.073\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Issue summary: The POLY1305 MAC (message authentication code) implementation\\ncontains a bug that might corrupt the internal state of applications on the\\nWindows 64 platform when running on newer X86_64 processors supporting the\\nAVX512-IFMA instructions.\\n\\nImpact summary: If in an application that uses the OpenSSL library an attacker\\ncan influence whether the POLY1305 MAC algorithm is used, the application\\nstate might be corrupted with various application dependent consequences.\\n\\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL does\\nnot save the contents of non-volatile XMM registers on Windows 64 platform\\nwhen calculating the MAC of data larger than 64 bytes. Before returning to\\nthe caller all the XMM registers are set to zero rather than restoring their\\nprevious content. The vulnerable code is used only on newer x86_64 processors\\nsupporting the AVX512-IFMA instructions.\\n\\nThe consequences of this kind of internal application state corruption can\\nbe various - from no consequences, if the calling application does not\\ndepend on the contents of non-volatile XMM registers at all, to the worst\\nconsequences, where the attacker could get complete control of the application\\nprocess. However given the contents of the registers are just zeroized so\\nthe attacker cannot put arbitrary values inside, the most likely consequence,\\nif any, would be an incorrect result of some application dependent\\ncalculations or a crash leading to a denial of service.\\n\\nThe POLY1305 MAC algorithm is most frequently used as part of the\\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\\nversions 1.2 and 1.3 and a malicious client can influence whether this AEAD\\ncipher is used by the server. This implies that server applications using\\nOpenSSL can be potentially impacted. However we are currently not aware of\\nany concrete application that would be affected by this issue therefore we\\nconsider this a Low severity security issue.\\n\\nAs a workaround the AVX512-IFMA instructions support can be disabled at\\nruntime by setting the environment variable OPENSSL_ia32cap:\\n\\n   OPENSSL_ia32cap=:~0x200000\\n\\nThe FIPS provider is not affected by this issue.\"},{\"lang\":\"es\",\"value\":\"Resumen del problema: la implementaci\u00f3n POLY1305 MAC (c\u00f3digo de autenticaci\u00f3n de mensajes) contiene un error que podr\u00eda da\u00f1ar el estado interno de las aplicaciones en la plataforma Windows 64 cuando se ejecutan en procesadores X86_64 m\u00e1s nuevos que admiten las instrucciones AVX512-IFMA. Resumen del impacto: si en una aplicaci\u00f3n que usa la librer\u00eda OpenSSL un atacante puede influir en si se usa el algoritmo MAC POLY1305, el estado de la aplicaci\u00f3n podr\u00eda corromperse con varias consecuencias dependientes de la aplicaci\u00f3n. La implementaci\u00f3n POLY1305 MAC (c\u00f3digo de autenticaci\u00f3n de mensajes) en OpenSSL no guarda el contenido de los registros XMM no vol\u00e1tiles en la plataforma Windows 64 al calcular la MAC de datos de m\u00e1s de 64 bytes. Antes de regresar a la persona que llama, todos los registros XMM se establecen en cero en lugar de restaurar su contenido anterior. El c\u00f3digo vulnerable se utiliza s\u00f3lo en procesadores x86_64 m\u00e1s nuevos que admiten las instrucciones AVX512-IFMA. Las consecuencias de este tipo de corrupci\u00f3n del estado de la aplicaci\u00f3n interna pueden ser diversas: desde ninguna consecuencia, si la aplicaci\u00f3n que llama no depende en absoluto del contenido de los registros XMM no vol\u00e1tiles, hasta las peores consecuencias, donde el atacante podr\u00eda obtener el control total de el proceso de solicitud. Sin embargo, dado que el contenido de los registros simplemente se pone a cero para que el atacante no pueda colocar valores arbitrarios en su interior, la consecuencia m\u00e1s probable, si la hubiera, ser\u00eda un resultado incorrecto de algunos c\u00e1lculos dependientes de la aplicaci\u00f3n o una falla que provocar\u00eda una denegaci\u00f3n de servicio. El algoritmo POLY1305 MAC se utiliza con mayor frecuencia como parte del algoritmo CHACHA20-POLY1305 AEAD (cifrado autenticado con datos asociados). El uso m\u00e1s com\u00fan de este cifrado AEAD es con las versiones 1.2 y 1.3 del protocolo TLS y un cliente malicioso puede influir en si el servidor utiliza este cifrado AEAD. Esto implica que las aplicaciones de servidor que utilizan OpenSSL pueden verse potencialmente afectadas. Sin embargo, actualmente no conocemos ninguna aplicaci\u00f3n concreta que pueda verse afectada por este problema, por lo que lo consideramos un problema de seguridad de gravedad Baja. Como workaround, el soporte de instrucciones AVX512-IFMA se puede desactivar en tiempo de ejecuci\u00f3n configurando la variable de entorno OPENSSL_ia32cap: OPENSSL_ia32cap=:~0x200000 El proveedor FIPS no se ve afectado por este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"openssl-security@openssl.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-440\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.1.1\",\"versionEndExcluding\":\"1.1.1w\",\"matchCriteriaId\":\"AE28C377-98B8-48F3-9869-A5085F95D22C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.0.11\",\"matchCriteriaId\":\"F9CA5322-712C-46EC-85D4-82BBCD86A370\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.1.0\",\"versionEndExcluding\":\"3.1.3\",\"matchCriteriaId\":\"8CD493DA-9CA9-4D3C-A2C0-BE0A06D7E265\"}]}]}],\"references\":[{\"url\":\"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4bfac4471f53c4f74c8d81020beb938f92d84ca5\",\"source\":\"openssl-security@openssl.org\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6754de4a121ec7f261b16723180df6592cbb4508\",\"source\":\"openssl-security@openssl.org\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a632d534c73eeb3e3db8c7540d811194ef7c79ff\",\"source\":\"openssl-security@openssl.org\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://www.openssl.org/news/secadv/20230908.txt\",\"source\":\"openssl-security@openssl.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4bfac4471f53c4f74c8d81020beb938f92d84ca5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6754de4a121ec7f261b16723180df6592cbb4508\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a632d534c73eeb3e3db8c7540d811194ef7c79ff\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20230921-0001/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.openssl.org/news/secadv/20230908.txt\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.openssl.org/news/secadv/20230908.txt\", \"name\": \"OpenSSL Advisory\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4bfac4471f53c4f74c8d81020beb938f92d84ca5\", \"name\": \"3.1.3 git commit\", \"tags\": [\"patch\", \"x_transferred\"]}, {\"url\": \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6754de4a121ec7f261b16723180df6592cbb4508\", \"name\": \"3.0.11 git commit\", \"tags\": [\"patch\", \"x_transferred\"]}, {\"url\": \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a632d534c73eeb3e3db8c7540d811194ef7c79ff\", \"name\": \"1.1.1w git commit\", \"tags\": [\"patch\", \"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20230921-0001/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T07:38:00.793Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-4807\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T13:27:06.574022Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T15:07:22.777Z\"}}], \"cna\": {\"title\": \"POLY1305 MAC implementation corrupts XMM registers on Windows\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Zach Wilson\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Bernd Edlinger\"}], \"metrics\": [{\"other\": {\"type\": \"https://www.openssl.org/policies/secpolicy.html\", \"content\": {\"text\": \"Low\"}}, \"format\": \"other\"}], \"affected\": [{\"vendor\": \"OpenSSL\", \"product\": \"OpenSSL\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.1.0\", \"lessThan\": \"3.1.3\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"3.0.0\", \"lessThan\": \"3.0.11\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"1.1.1\", \"lessThan\": \"1.1.1w\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2023-09-08T00:00:00.000Z\", \"references\": [{\"url\": \"https://www.openssl.org/news/secadv/20230908.txt\", \"name\": \"OpenSSL Advisory\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4bfac4471f53c4f74c8d81020beb938f92d84ca5\", \"name\": \"3.1.3 git commit\", \"tags\": [\"patch\"]}, {\"url\": \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6754de4a121ec7f261b16723180df6592cbb4508\", \"name\": \"3.0.11 git commit\", \"tags\": [\"patch\"]}, {\"url\": \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a632d534c73eeb3e3db8c7540d811194ef7c79ff\", \"name\": \"1.1.1w git commit\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Issue summary: The POLY1305 MAC (message authentication code) implementation\\ncontains a bug that might corrupt the internal state of applications on the\\nWindows 64 platform when running on newer X86_64 processors supporting the\\nAVX512-IFMA instructions.\\n\\nImpact summary: If in an application that uses the OpenSSL library an attacker\\ncan influence whether the POLY1305 MAC algorithm is used, the application\\nstate might be corrupted with various application dependent consequences.\\n\\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL does\\nnot save the contents of non-volatile XMM registers on Windows 64 platform\\nwhen calculating the MAC of data larger than 64 bytes. Before returning to\\nthe caller all the XMM registers are set to zero rather than restoring their\\nprevious content. The vulnerable code is used only on newer x86_64 processors\\nsupporting the AVX512-IFMA instructions.\\n\\nThe consequences of this kind of internal application state corruption can\\nbe various - from no consequences, if the calling application does not\\ndepend on the contents of non-volatile XMM registers at all, to the worst\\nconsequences, where the attacker could get complete control of the application\\nprocess. However given the contents of the registers are just zeroized so\\nthe attacker cannot put arbitrary values inside, the most likely consequence,\\nif any, would be an incorrect result of some application dependent\\ncalculations or a crash leading to a denial of service.\\n\\nThe POLY1305 MAC algorithm is most frequently used as part of the\\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\\nversions 1.2 and 1.3 and a malicious client can influence whether this AEAD\\ncipher is used by the server. This implies that server applications using\\nOpenSSL can be potentially impacted. However we are currently not aware of\\nany concrete application that would be affected by this issue therefore we\\nconsider this a Low severity security issue.\\n\\nAs a workaround the AVX512-IFMA instructions support can be disabled at\\nruntime by setting the environment variable OPENSSL_ia32cap:\\n\\n   OPENSSL_ia32cap=:~0x200000\\n\\nThe FIPS provider is not affected by this issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Issue summary: The POLY1305 MAC (message authentication code) implementation\u003cbr\u003econtains a bug that might corrupt the internal state of applications on the\u003cbr\u003eWindows 64 platform when running on newer X86_64 processors supporting the\u003cbr\u003eAVX512-IFMA instructions.\u003cbr\u003e\u003cbr\u003eImpact summary: If in an application that uses the OpenSSL library an attacker\u003cbr\u003ecan influence whether the POLY1305 MAC algorithm is used, the application\u003cbr\u003estate might be corrupted with various application dependent consequences.\u003cbr\u003e\u003cbr\u003eThe POLY1305 MAC (message authentication code) implementation in OpenSSL does\u003cbr\u003enot save the contents of non-volatile XMM registers on Windows 64 platform\u003cbr\u003ewhen calculating the MAC of data larger than 64 bytes. Before returning to\u003cbr\u003ethe caller all the XMM registers are set to zero rather than restoring their\u003cbr\u003eprevious content. The vulnerable code is used only on newer x86_64 processors\u003cbr\u003esupporting the AVX512-IFMA instructions.\u003cbr\u003e\u003cbr\u003eThe consequences of this kind of internal application state corruption can\u003cbr\u003ebe various - from no consequences, if the calling application does not\u003cbr\u003edepend on the contents of non-volatile XMM registers at all, to the worst\u003cbr\u003econsequences, where the attacker could get complete control of the application\u003cbr\u003eprocess. However given the contents of the registers are just zeroized so\u003cbr\u003ethe attacker cannot put arbitrary values inside, the most likely consequence,\u003cbr\u003eif any, would be an incorrect result of some application dependent\u003cbr\u003ecalculations or a crash leading to a denial of service.\u003cbr\u003e\u003cbr\u003eThe POLY1305 MAC algorithm is most frequently used as part of the\u003cbr\u003eCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\u003cbr\u003ealgorithm. The most common usage of this AEAD cipher is with TLS protocol\u003cbr\u003eversions 1.2 and 1.3 and a malicious client can influence whether this AEAD\u003cbr\u003ecipher is used by the server. This implies that server applications using\u003cbr\u003eOpenSSL can be potentially impacted. However we are currently not aware of\u003cbr\u003eany concrete application that would be affected by this issue therefore we\u003cbr\u003econsider this a Low severity security issue.\u003cbr\u003e\u003cbr\u003eAs a workaround the AVX512-IFMA instructions support can be disabled at\u003cbr\u003eruntime by setting the environment variable OPENSSL_ia32cap:\u003cbr\u003e\u003cbr\u003e   OPENSSL_ia32cap=:~0x200000\u003cbr\u003e\u003cbr\u003eThe FIPS provider is not affected by this issue.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-440\", \"description\": \"CWE-440 Expected Behavior Violation\"}]}], \"providerMetadata\": {\"orgId\": \"3a12439a-ef3a-4c79-92e6-6081a721f1e5\", \"shortName\": \"openssl\", \"dateUpdated\": \"2024-10-14T14:55:50.502Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-4807\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-27T20:42:52.433Z\", \"dateReserved\": \"2023-09-06T16:32:29.871Z\", \"assignerOrgId\": \"3a12439a-ef3a-4c79-92e6-6081a721f1e5\", \"datePublished\": \"2023-09-08T11:01:53.663Z\", \"assignerShortName\": \"openssl\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.