CVE-2023-1255
Input buffer over-read in AES-XTS implementation on 64 bit ARM
Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a bug that could cause it to read past the input buffer, leading to a crash. Impact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM platform can crash in rare circumstances. The AES-XTS algorithm is usually used for disk encryption. The AES-XTS cipher decryption implementation for 64 bit ARM platform will read past the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16 byte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext buffer is unmapped, this will trigger a crash which results in a denial of service. If an attacker can control the size and location of the ciphertext buffer being decrypted by an application using AES-XTS on 64 bit ARM, the application is affected. This is fairly unlikely making this issue a Low severity one.
We have discovered 24,826 live websites that are affected by CVE-2023-1255.
Affected Software
| Product |  OpenSSL |
| Category | Web Server Extensions |
| Vulnerable Versions |
|
| Total Vulnerable Versions | 30 |
| Vulnerable Domains | 24,826 live websites (2.28% of OpenSSL install base) |
Details
- Published - Apr 20, 2023
- Updated - Apr 21, 2023
Credits
- Anton Romanov (Amazon) (reporter)
- Nevine Ebeid (Amazon) (remediation developer)
CVE References
CWE References
Countries
 United States | 7,937 websites |
 Germany | 2,556 websites |
 France | 1,721 websites |
 Japan | 1,282 websites |
 GB | 1,128 websites |
 Finland | 820 websites |
 Italy | 806 websites |
 Czech Republic | 770 websites |
 Netherlands | 694 websites |
 Canada | 583 websites |
TLDs
| .com | 8,493 websites |
| .de | 1,733 websites |
| .org | 1,450 websites |
| .net | 1,145 websites |
| .edu | 1,032 websites |
| .fr | 827 websites |
| .co.uk | 679 websites |
| .fi | 676 websites |
| .cz | 611 websites |
| .it | 591 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redReferences
- https://www.openssl.org/news/secadv/20230419.txt
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bc2f61ad70971869b242fc1cb445b98bad50074a
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=02ac9c9420275868472f33b01def01218742b8bb
- https://security.netapp.com/advisory/ntap-20230908-0006/
Websites affected by CVE-2023-1255
Top websites that are affected by CVE-2023-1255. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***.***********.com | United States | *,*** | |
| ******.org | United States | *,*** | |
| ***.******.org | United States | *,*** | |
| ****.******.org | United States | *,*** | |
| ****.org | United States | *,*** | |
| ***.****.org | United States | *,*** | |
| ***.net |  Singapore | *,*** | |
| ********.org | Germany | *,*** | |
| ***.******************.org | United States | *,*** | |
| ********.edu | United States | **,*** |