Home

CVE-2025-69419

Description

Issue summary: Calling PKCS12_get_friendlyname() function on a maliciouslycrafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containingnon-ASCII BMP code point can trigger a one byte write before the allocatedbuffer.Impact summary: The out-of-bounds write can cause a memory corruptionwhich can have various consequences including a Denial of Service.The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes,the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16source byte count as the destination buffer capacity to UTF8_putc(). For BMPcode points above U+07FF, UTF-8 requires three bytes, but the forwardedcapacity can be just two bytes. UTF8_putc() then returns -1, and this negativevalue is added to the output length without validation, causing thelength to become negative. The subsequent trailing NUL byte is then writtenat a negative offset, causing write outside of heap allocated buffer.The vulnerability is reachable via the public PKCS12_get_friendlyname() APIwhen parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses adifferent code path that avoids this issue, PKCS12_get_friendlyname() directlyinvokes the vulnerable function. Exploitation requires an attacker to providea malicious PKCS#12 file to be parsed by the application and the attackercan just trigger a one zero byte write before the allocated buffer.For that reason the issue was assessed as Low severity according to ourSecurity Policy.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.OpenSSL 1.0.2 is not affected by this issue.

Risk Information

Base Score
7.4
MODERATE
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score
Exploitation Probability
0.06

Associated Vulnerability

VulnerabilityOS Platform
Multiple Vulnerabilities are affected in IBM MQ 9.3.5.1Windows
Multiple Vulnerabilities are affected in OpenSSL 3.4.3Windows
Multiple Vulnerabilities are affected in OpenSSL 3.5.4Windows
Multiple Vulnerabilities are affected in OpenSSL 3.6.0Windows
Multiple Vulnerabilities are affected in OpenSSL 3.0.18Windows
Multiple Vulnerabilities are affected in OpenSSL 3.3.5Windows
Multiple Vulnerabilities are affected in OpenSSL 1.1.1zeWindows
Multiple vulnerabilities are fixed in OpenSSL (3.6.1)Windows
Multiple vulnerabilities are fixed in OpenSSL (x64) (3.6.1)Windows
Multiple vulnerabilities are fixed in OpenSSL Light (3.6.1)Windows
Multiple vulnerabilities are fixed in OpenSSL Light (x64) (3.6.1)Windows
Multiple vulnerabilities are fixed in OpenSSL 3.5.5Windows
Multiple vulnerabilities are fixed in OpenSSL 3.4.4Windows
Multiple vulnerabilities are fixed in OpenSSL 3.3.6Windows
Multiple vulnerabilities are fixed in OpenSSL 3.0.19Windows
Multiple vulnerabilities are fixed in OpenSSL (MSI)(x64) 3.6.1Windows
Multiple vulnerabilities are fixed in OpenSSL (MSI)(x64) 3.5.5Windows
Multiple vulnerabilities are fixed in OpenSSL (MSI)(x64) 3.4.4Windows
Multiple vulnerabilities are fixed in OpenSSL (MSI)(x64) 3.3.6Windows
Multiple vulnerabilities are fixed in OpenSSL (MSI)(x64) 3.0.19Windows
Multiple vulnerabilities are fixed in OpenSSL (MSI)(x86) 3.6.1Windows
Multiple vulnerabilities are fixed in OpenSSL (MSI)(x86) 3.5.5Windows
Multiple vulnerabilities are fixed in OpenSSL (MSI)(x86) 3.4.4Windows
Multiple vulnerabilities are fixed in OpenSSL (MSI)(x86) 3.3.6Windows
Multiple vulnerabilities are fixed in OpenSSL (MSI)(x86) 3.0.19Windows
Multiple Vulnerabilities are affected in IBM MQ 9.1.0.33Windows
Multiple Vulnerabilities are affected in IBM MQ 9.2.0.40Windows
Multiple Vulnerabilities are affected in IBM MQ 9.3.0.36Windows
Multiple Vulnerabilities are affected in IBM MQ 9.4.0.17Windows
Multiple Vulnerabilities are affected in IBM MQ 9.4.5.0Windows
Multiple vulnerabilities are fixed in OpenSSL Light 3.5.5Windows
Multiple vulnerabilities are fixed in OpenSSL Light 3.4.4Windows
Multiple vulnerabilities are fixed in OpenSSL Light 3.3.6Windows
Multiple vulnerabilities are fixed in OpenSSL Light 3.0.19Windows
Multiple vulnerabilities are fixed in OpenSSL Light (x64) 3.5.5Windows
Multiple vulnerabilities are fixed in OpenSSL Light (x64) 3.4.4Windows
Multiple vulnerabilities are fixed in OpenSSL Light (x64) 3.3.6Windows
Multiple vulnerabilities are fixed in OpenSSL Light (x64) 3.0.19Windows
Multiple vulnerabilities are fixed in OpenSSL Library 3.6.1Windows
Multiple vulnerabilities are fixed in OpenSSL Library 3.5.5Windows
Multiple vulnerabilities are fixed in OpenSSL Library 3.4.4Windows
Multiple vulnerabilities are fixed in OpenSSL Library 3.3.6Windows
Multiple vulnerabilities are fixed in OpenSSL Library 3.0.19Windows
Multiple vulnerabilities are fixed in OpenSSL Library x86 3.6.1Windows
Multiple vulnerabilities are fixed in OpenSSL Library x86 3.5.5Windows
Multiple vulnerabilities are fixed in OpenSSL Library x86 3.4.4Windows
Multiple vulnerabilities are fixed in OpenSSL Library x86 3.3.6Windows
Multiple vulnerabilities are fixed in OpenSSL Library x86 3.0.19Windows

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-355449OpenSSL (3.6.1)
PATCH-355449OpenSSL (3.6.1)
PATCH-355449OpenSSL (3.6.1)
PATCH-355449OpenSSL (3.6.1)
PATCH-355449OpenSSL (3.6.1)
PATCH-355449OpenSSL (3.6.1)
PATCH-355449OpenSSL (3.6.1)
PATCH-355450OpenSSL (x64) (3.6.1)
PATCH-355451OpenSSL Light (3.6.1)
PATCH-355452OpenSSL Light (x64) (3.6.1)
PATCH-355449OpenSSL (3.6.1)
PATCH-355449OpenSSL (3.6.1)
PATCH-355449OpenSSL (3.6.1)
PATCH-355449OpenSSL (3.6.1)
PATCH-355451OpenSSL Light (3.6.1)
PATCH-355451OpenSSL Light (3.6.1)
PATCH-355451OpenSSL Light (3.6.1)
PATCH-355451OpenSSL Light (3.6.1)
PATCH-355452OpenSSL Light (x64) (3.6.1)
PATCH-355452OpenSSL Light (x64) (3.6.1)
PATCH-355452OpenSSL Light (x64) (3.6.1)
PATCH-355452OpenSSL Light (x64) (3.6.1)

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234