Skip to content

The armv8_dec_aes_gcm_full() API fails to the verify the authentication tag of AES-GCM protected data

Moderate
WonderfulVoid published GHSA-47c6-7x5x-r74g Feb 21, 2023

Package

AArch64cryptolib

Affected versions

All versions committed before 20230220

Patched versions

86065c6

Description

Impact

Due to an improperly initialized variable in the armv8_dec_aes_gcm_full() function, the computed AES-GCM authentication tag is believed to be of zero length and is thus not verified, instead the authentication is always reported as successful.

A man-in-the-middle could modify data (e.g. network packets) which would not be detected by the AES-GCM authentication mechanism. The resulting cleartext data corruption would be random as only the encrypted ciphertext can be modified. If AArch64cryptolib is used with e.g. IPsec, replay attacks (of unmodified encrypted data) might also be possible.

Patches

The problem is fixed in commit 86065c6

Workarounds

Use the alternate armv8_dec_aes_gcm_from_state() API where the authentication tag size is specified by the caller.

References

#5

Severity

Moderate
5.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

CVE ID

CVE-2023-26084

Weaknesses

Credits