BSDSec

deadsimple BSD Security Advisories and Announcements

FreeBSD Errata Notice FreeBSD-EN-25:07.openssl

10 April, 2025 by errata-notices@freebsd.org | freebsd 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-25:07.openssl                                        Errata Notice
                                                          The FreeBSD Project

Topic:		Update OpenSSL to 3.0.16

Category:       contrib
Module:         openssl
Announced:      2025-04-10
Affects:        FreeBSD 14.2
Corrected:      2025-03-25 21:07:59 UTC (stable/14, 14.2-STABLE)
                2025-04-10 14:57:42 UTC (releng/14.2, 14.2-RELEASE-p3)
CVE Name:       CVE-2024-13176, CVE-2024-9143

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.

I.   Background

FreeBSD includes software from the OpenSSL Project.  The OpenSSL Project is a
collaborative effort to develop a robust, commercial-grade, full-featured Open
Source toolkit for the Transport Layer Security (TLS) protocol.  It is also a
general-purpose cryptography library.

II.  Problem Description

Automated security vulnerability scanners report that OpenSSL 3.0.15, included
with FreeBSD 14.2, is affected by CVE-2024-13176 and CVE-2024-9143.

1) CVE-2024-13176

A timing side-channel which could potentially allow recovering the private key
exists in the ECDSA signature computation.

2) CVE-2024-9143

Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit
values for the field polynomial can lead to out-of-bounds memory reads or
writes.

III. Impact

1) CVE-2024-13176

There is a timing signal of around 300 nanoseconds when the top word of the
inverted ECDSA nonce value is zero.  This can happen with significant
probability only for some of the supported elliptic curves.  In particular the
NIST P-521 curve is affected.

To be able to measure this leak, the attacker process must either be located
in the same physical computer or must have a very fast network connection with
low latency.

2) CVE-2024-9143

Applications working with "exotic" explicit binary (GF(2^m)) curve parameters,
that make it possible to represent invalid field polynomials with a zero
constant term, via the EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),
and various supporting BN_GF2m_*() or similar APIs, may terminate abruptly as
a result of reading or writing outside of array bounds.  Remote code execution
cannot easily be ruled out.

In all the protocols involving Elliptic Curve Cryptography known to the
OpenSSL developers either only "named curves" are supported, or, if explicit
curve parameters are supported, they specify an X9.62 encoding of binary
(GF(2^m)) curves that can't represent problematic input values.  Thus the
likelihood of existence of a vulnerable application is low.

In particular, the X9.62 encoding is used for ECC keys in X.509 certificates,
so problematic inputs cannot occur in the context of processing X.509
certificates.  Any problematic use-cases would have to be using an "exotic"
curve encoding.

IV.  Workaround

No workaround is available.

Systems not using base versions of OpenSSL are not affected.

Systems not exposed to low-latency adversaries and systems not using "exotic"
elliptic curve parameters are not affected.

V.   Solution

Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date. A reboot is required following
the upgrade to ensure that all applications and kernel code has been rebuilt with
OpenSSL 3.0.16-provided code.

Perform one of the following:

1) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

The system should be rebooted after installing the update to ensure that all
applications are using OpenSSL 3.0.16.

2) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/EN-25:07/openssl.patch
# fetch https://security.FreeBSD.org/patches/EN-25:07/openssl.patch.asc
# gpg --verify openssl.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

Restart all daemons that use the library, or reboot the system.

VI.  Correction details

This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/14/                              cb29db243bd0    stable/14-n270826
releng/14.2/                            862cd6b8fa9d  releng/14.2-n269522
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<URL:https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176>
<URL:https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:07.openssl.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38DoACgkQbljekB8A
Gu/03hAAhIoD5XT/ynR4g20mOs4e03spEnJSJARO6ZGSCdI7zis5dWjnWADu1gPi
GND4THVdOI50WDyg2kyvKivt06ykfxcfAzSV3mqn+mECsOjGknfs0UAmjc6ilW28
PPA8QnJjYYKI+EGSFnG510MZWUTZKlldJ86ECnn7xh4xrOsMBKSK53Fjy8y96Tc2
AUBzfu8uc0t9YdSCQlYp+T5ZEM8mXYiGbQBj+ZnLyVIhWjSWiR89wjUA7hjp0UQV
rzKEqx9kvPNLPLRT0belbzohSIwKiCYjL3ryqsMiCliGRn1Gyii7oLIOkVPIZNyt
QRCyifi/q5SdkYb3nkSzNlE7cYCDN2Qpnkdn6fVwxEjFgtsbG+Ljni/IXvFqf7A1
6LNZsBLiYFGrEha9yxiI1av0jO81Ktbu2U1QUosT1T856FGR6/1KKQzUfmL1JJY7
G0LTIrrzTJuuVeYe2f3AtwNpk+zjHH4plCORd7psdj5MwWtAAt5AifC7J0sdLcjj
V552p2qV18RBhY38zEpY8JmWxXukLp0IuKJjYLtP81I2g3JrSUkVvycyMmACKVm1
wzOgeAwA4qlfOaYaOffeouaMFrOqR9UGBdtiwxCiuerU3ZWhG1eXwHYTwfhBC9U4
eB7YiAdGz/xI1GK6OsfbCxWISXYiN+QXDIkSkdK4p3VPvjkVQeA=HLnD
-----END PGP SIGNATURE-----