CVE-2023-4807: CWE-440 Expected Behavior Violation in OpenSSL OpenSSL
Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions. Impact summary: If in an application that uses the OpenSSL library an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL does not save the contents of non-volatile XMM registers on Windows 64 platform when calculating the MAC of data larger than 64 bytes. Before returning to the caller all the XMM registers are set to zero rather than restoring their previous content. The vulnerable code is used only on newer x86_64 processors supporting the AVX512-IFMA instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However given the contents of the registers are just zeroized so the attacker cannot put arbitrary values inside, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3 and a malicious client can influence whether this AEAD cipher is used by the server. This implies that server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue. As a workaround the AVX512-IFMA instructions support can be disabled at runtime by setting the environment variable OPENSSL_ia32cap: OPENSSL_ia32cap=:~0x200000 The FIPS provider is not affected by this issue.
AI Analysis
Technical Summary
CVE-2023-4807 is a high-severity vulnerability affecting the POLY1305 MAC implementation within the OpenSSL cryptographic library versions 1.1.1, 3.0.0, and 3.1.0. The flaw arises specifically on Windows 64-bit platforms running on newer x86_64 processors that support AVX512-IFMA instructions. The vulnerability is due to the POLY1305 MAC code failing to preserve the contents of non-volatile XMM registers during MAC calculation for data larger than 64 bytes. Instead of restoring these registers before returning control to the calling application, the implementation zeroizes them. Non-volatile XMM registers are expected by the Windows 64-bit ABI to be preserved across function calls, so this behavior violates expected calling conventions (CWE-440: Expected Behavior Violation). This register corruption can lead to unpredictable application behavior, including incorrect calculations, crashes, or denial of service. In the worst case, if the application relies heavily on these registers for critical state, it could lead to complete process control loss, although the attacker cannot inject arbitrary register values since they are zeroed out. The POLY1305 MAC is commonly used as part of the CHACHA20-POLY1305 AEAD cipher suite, which is widely employed in TLS 1.2 and TLS 1.3 protocols. A malicious client can influence the use of this AEAD cipher during TLS negotiation, potentially triggering the vulnerability on server applications using OpenSSL. However, no concrete exploit or affected application has been reported to date. The vulnerability can be mitigated by disabling AVX512-IFMA instruction support at runtime via the environment variable OPENSSL_ia32cap=:~0x200000. The FIPS provider in OpenSSL is not affected. This issue is specific to Windows 64-bit and newer processors with AVX512-IFMA support, limiting its scope. The CVSS v3.1 score is 7.8 (high), reflecting the potential for confidentiality, integrity, and availability impacts with low attack complexity but requiring local privileges and no user interaction.
Potential Impact
For European organizations, the impact of CVE-2023-4807 depends on their use of OpenSSL versions 1.1.1, 3.0.0, or 3.1.0 on Windows 64-bit servers running on modern x86_64 CPUs with AVX512-IFMA support. Organizations operating TLS servers that allow CHACHA20-POLY1305 cipher suites could be vulnerable if a malicious client can influence cipher negotiation. Potential impacts include denial of service due to application crashes, incorrect cryptographic or application logic results, and in rare cases, full process compromise. This could affect critical infrastructure, web services, and internal applications relying on OpenSSL for secure communications. Given the vulnerability’s specificity to certain hardware and OS configurations, the overall risk is moderate but non-negligible for sectors with high security requirements such as finance, healthcare, and government. The inability to inject arbitrary register values reduces the likelihood of remote code execution but does not eliminate the risk of service disruption or data integrity issues. The lack of known exploits in the wild currently lowers immediate threat levels but organizations should proactively address the vulnerability to prevent future exploitation.
Mitigation Recommendations
European organizations should take the following specific actions beyond generic patching advice: 1) Identify all Windows 64-bit systems running OpenSSL versions 1.1.1, 3.0.0, or 3.1.0 and verify if the underlying hardware supports AVX512-IFMA instructions. 2) For affected systems where immediate patching is not feasible, apply the recommended workaround by setting the environment variable OPENSSL_ia32cap=:~0x200000 to disable AVX512-IFMA support at runtime, preventing the vulnerable code path from executing. 3) Review TLS configurations to assess the use of CHACHA20-POLY1305 cipher suites and consider temporarily disabling them on vulnerable servers if risk tolerance is low. 4) Monitor application logs and system stability for signs of crashes or anomalies potentially related to this vulnerability. 5) Plan and prioritize upgrading OpenSSL to patched versions once available, ensuring compatibility testing on Windows 64-bit platforms with AVX512-IFMA CPUs. 6) Educate development and security teams about the subtle nature of ABI violations and encourage auditing of cryptographic code for similar issues. 7) For critical systems, consider isolating or limiting exposure to untrusted clients that could influence cipher negotiation. These targeted mitigations will reduce the attack surface and limit potential impacts while maintaining operational continuity.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2023-4807: CWE-440 Expected Behavior Violation in OpenSSL OpenSSL
Description
Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions. Impact summary: If in an application that uses the OpenSSL library an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL does not save the contents of non-volatile XMM registers on Windows 64 platform when calculating the MAC of data larger than 64 bytes. Before returning to the caller all the XMM registers are set to zero rather than restoring their previous content. The vulnerable code is used only on newer x86_64 processors supporting the AVX512-IFMA instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However given the contents of the registers are just zeroized so the attacker cannot put arbitrary values inside, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3 and a malicious client can influence whether this AEAD cipher is used by the server. This implies that server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue. As a workaround the AVX512-IFMA instructions support can be disabled at runtime by setting the environment variable OPENSSL_ia32cap: OPENSSL_ia32cap=:~0x200000 The FIPS provider is not affected by this issue.
AI-Powered Analysis
Technical Analysis
CVE-2023-4807 is a high-severity vulnerability affecting the POLY1305 MAC implementation within the OpenSSL cryptographic library versions 1.1.1, 3.0.0, and 3.1.0. The flaw arises specifically on Windows 64-bit platforms running on newer x86_64 processors that support AVX512-IFMA instructions. The vulnerability is due to the POLY1305 MAC code failing to preserve the contents of non-volatile XMM registers during MAC calculation for data larger than 64 bytes. Instead of restoring these registers before returning control to the calling application, the implementation zeroizes them. Non-volatile XMM registers are expected by the Windows 64-bit ABI to be preserved across function calls, so this behavior violates expected calling conventions (CWE-440: Expected Behavior Violation). This register corruption can lead to unpredictable application behavior, including incorrect calculations, crashes, or denial of service. In the worst case, if the application relies heavily on these registers for critical state, it could lead to complete process control loss, although the attacker cannot inject arbitrary register values since they are zeroed out. The POLY1305 MAC is commonly used as part of the CHACHA20-POLY1305 AEAD cipher suite, which is widely employed in TLS 1.2 and TLS 1.3 protocols. A malicious client can influence the use of this AEAD cipher during TLS negotiation, potentially triggering the vulnerability on server applications using OpenSSL. However, no concrete exploit or affected application has been reported to date. The vulnerability can be mitigated by disabling AVX512-IFMA instruction support at runtime via the environment variable OPENSSL_ia32cap=:~0x200000. The FIPS provider in OpenSSL is not affected. This issue is specific to Windows 64-bit and newer processors with AVX512-IFMA support, limiting its scope. The CVSS v3.1 score is 7.8 (high), reflecting the potential for confidentiality, integrity, and availability impacts with low attack complexity but requiring local privileges and no user interaction.
Potential Impact
For European organizations, the impact of CVE-2023-4807 depends on their use of OpenSSL versions 1.1.1, 3.0.0, or 3.1.0 on Windows 64-bit servers running on modern x86_64 CPUs with AVX512-IFMA support. Organizations operating TLS servers that allow CHACHA20-POLY1305 cipher suites could be vulnerable if a malicious client can influence cipher negotiation. Potential impacts include denial of service due to application crashes, incorrect cryptographic or application logic results, and in rare cases, full process compromise. This could affect critical infrastructure, web services, and internal applications relying on OpenSSL for secure communications. Given the vulnerability’s specificity to certain hardware and OS configurations, the overall risk is moderate but non-negligible for sectors with high security requirements such as finance, healthcare, and government. The inability to inject arbitrary register values reduces the likelihood of remote code execution but does not eliminate the risk of service disruption or data integrity issues. The lack of known exploits in the wild currently lowers immediate threat levels but organizations should proactively address the vulnerability to prevent future exploitation.
Mitigation Recommendations
European organizations should take the following specific actions beyond generic patching advice: 1) Identify all Windows 64-bit systems running OpenSSL versions 1.1.1, 3.0.0, or 3.1.0 and verify if the underlying hardware supports AVX512-IFMA instructions. 2) For affected systems where immediate patching is not feasible, apply the recommended workaround by setting the environment variable OPENSSL_ia32cap=:~0x200000 to disable AVX512-IFMA support at runtime, preventing the vulnerable code path from executing. 3) Review TLS configurations to assess the use of CHACHA20-POLY1305 cipher suites and consider temporarily disabling them on vulnerable servers if risk tolerance is low. 4) Monitor application logs and system stability for signs of crashes or anomalies potentially related to this vulnerability. 5) Plan and prioritize upgrading OpenSSL to patched versions once available, ensuring compatibility testing on Windows 64-bit platforms with AVX512-IFMA CPUs. 6) Educate development and security teams about the subtle nature of ABI violations and encourage auditing of cryptographic code for similar issues. 7) For critical systems, consider isolating or limiting exposure to untrusted clients that could influence cipher negotiation. These targeted mitigations will reduce the attack surface and limit potential impacts while maintaining operational continuity.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- openssl
- Date Reserved
- 2023-09-06T16:32:29.871Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d983ac4522896dcbed14e
Added to database: 5/21/2025, 9:09:14 AM
Last enriched: 7/2/2025, 2:58:09 AM
Last updated: 8/18/2025, 11:32:13 PM
Views: 17
Related Threats
CVE-2025-9296: Unrestricted Upload in Emlog Pro
MediumCVE-2025-8064: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in aicwebtech Bible SuperSearch
MediumCVE-2025-8895: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in cozmoslabs WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress
CriticalCVE-2025-7390: CWE-295 Improper Certificate Validation in Softing Industrial Automation GmbH OPC UA C++ SDK
CriticalCVE-2025-53505: Improper limitation of a pathname to a restricted directory ('Path Traversal') in Intermesh BV Group-Office
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.