Skip to content

incorrect Authentication Tag length usage in AES GCM decryption

Critical
zandbelt published GHSA-3rhg-3gf2-6xgj Jul 12, 2023

Package

cjose

Affected versions

<=0.6.2.1

Patched versions

>=0.6.2.2

Description

Impact

The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE, see: https://github.com/cisco/cjose/blob/0.6.1/src/jwe.c#L1228-L1229:

  // set the expected GCM-mode authentication tag
  if (EVP_CIPHER_CTX_ctrl(ctx, CJOSE_EVP_CTRL_GCM_SET_TAG, jwe->enc_auth_tag.raw_len, jwe->enc_auth_tag.raw) != 1)

However, the spec https://datatracker.ietf.org/doc/html/rfc7518#section-4.7 says that a fixed length of 16 octets must be applied:

The requested size of the Authentication Tag output MUST be 128 bits, regardless of the key size.

Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly.

Patches

Users should upgrade to a version >= 0.6.2.2 from:
https://github.com/OpenIDC/cjose/releases/tag/v0.6.2.2

Workarounds

One should avoid using AES GCM encryption and replace it with another encryption algorithm (e.g. AES CBC) if it is not possible to upgrade.

References

cisco#125

Severity

Critical

CVE ID

CVE-2023-37464

Weaknesses

No CWEs