CVE-2023-4807

Issue summary: The POLY1305 MAC (message authentication code) implementation<br /> contains a bug that might corrupt the internal state of applications on the<br /> Windows 64 platform when running on newer X86_64 processors supporting the<br /> AVX512-IFMA instructions.<br /> <br /> Impact summary: If in an application that uses the OpenSSL library an attacker<br /> can influence whether the POLY1305 MAC algorithm is used, the application<br /> state might be corrupted with various application dependent consequences.<br /> <br /> The POLY1305 MAC (message authentication code) implementation in OpenSSL does<br /> not save the contents of non-volatile XMM registers on Windows 64 platform<br /> when calculating the MAC of data larger than 64 bytes. Before returning to<br /> the caller all the XMM registers are set to zero rather than restoring their<br /> previous content. The vulnerable code is used only on newer x86_64 processors<br /> supporting the AVX512-IFMA instructions.<br /> <br /> The consequences of this kind of internal application state corruption can<br /> be various - from no consequences, if the calling application does not<br /> depend on the contents of non-volatile XMM registers at all, to the worst<br /> consequences, where the attacker could get complete control of the application<br /> process. However given the contents of the registers are just zeroized so<br /> the attacker cannot put arbitrary values inside, the most likely consequence,<br /> if any, would be an incorrect result of some application dependent<br /> calculations or a crash leading to a denial of service.<br /> <br /> The POLY1305 MAC algorithm is most frequently used as part of the<br /> CHACHA20-POLY1305 AEAD (authenticated encryption with associated data)<br /> algorithm. The most common usage of this AEAD cipher is with TLS protocol<br /> versions 1.2 and 1.3 and a malicious client can influence whether this AEAD<br /> cipher is used by the server. This implies that server applications using<br /> OpenSSL can be potentially impacted. However we are currently not aware of<br /> any concrete application that would be affected by this issue therefore we<br /> consider this a Low severity security issue.<br /> <br /> As a workaround the AVX512-IFMA instructions support can be disabled at<br /> runtime by setting the environment variable OPENSSL_ia32cap:<br /> <br /> OPENSSL_ia32cap=:~0x200000<br /> <br /> The FIPS provider is not affected by this issue.