CVE-2024-37305

EUVD-2024-36566

17.06.2024, 20:15

oqs-provider is a provider for the OpenSSL 3 cryptography library that adds support for post-quantum cryptography in TLS, X.509, and S/MIME using post-quantum algorithms from liboqs. Flaws have been identified in the way oqs-provider handles lengths decoded with DECODE_UINT32 at the start of serialized hybrid (traditional + post-quantum) keys and signatures. Unchecked length values are later used for memory reads and writes; malformed input can lead to crashes or information leakage. Handling of plain/non-hybrid PQ key operation is not affected. This issue has been patched in in v0.6.1. All users are advised to upgrade. There are no workarounds for this issue.

Classic Buffer Overflow

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.2 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 33%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
open_quantum_safe	oqs_provider	𝑥 < 0.6.1	ADP

openSUSE / SLES Releases

openSUSE Product

Release

liboqs-devel

suse enterprise desktop 15 SP6	0.12.0-150600.3.3.1 fixed
suse enterprise desktop 15 SP7	0.12.0-150600.3.3.1 fixed
suse enterprise sap 15 SP6	0.12.0-150600.3.3.1 fixed
suse enterprise sap 15 SP7	0.12.0-150600.3.3.1 fixed
suse enterprise server 15 SP6	0.12.0-150600.3.3.1 fixed
suse enterprise server 15 SP7	0.12.0-150600.3.3.1 fixed

liboqs7

suse enterprise desktop 15 SP6	0.12.0-150600.3.3.1 fixed
suse enterprise desktop 15 SP7	0.12.0-150600.3.3.1 fixed
suse enterprise sap 15 SP6	0.12.0-150600.3.3.1 fixed
suse enterprise sap 15 SP7	0.12.0-150600.3.3.1 fixed
suse enterprise server 15 SP6	0.12.0-150600.3.3.1 fixed
suse enterprise server 15 SP7	0.12.0-150600.3.3.1 fixed

oqs-provider

suse enterprise desktop 15 SP6	0.7.0-150600.3.3.1 fixed
suse enterprise desktop 15 SP7	0.7.0-150600.3.3.1 fixed
suse enterprise sap 15 SP6	0.7.0-150600.3.3.1 fixed
suse enterprise sap 15 SP7	0.7.0-150600.3.3.1 fixed
suse enterprise server 15 SP6	0.7.0-150600.3.3.1 fixed
suse enterprise server 15 SP7	0.7.0-150600.3.3.1 fixed

Common Weakness Enumeration

CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

References

https://github.com/open-quantum-safe/oqs-provider/pull/416

https://github.com/open-quantum-safe/oqs-provider/security/advisories/GHSA-pqvr-5cr8-v6fx

https://github.com/open-quantum-safe/oqs-provider/pull/416

https://github.com/open-quantum-safe/oqs-provider/security/advisories/GHSA-pqvr-5cr8-v6fx