Intel® Integrated Performance Primitives
Community support and discussions relating to developing high-performance vision, signal, security, and storage applications.
Announcements
The Intel sign-in experience is changing in February to support enhanced security controls. If you sign in, click here for more information.
6656 Discussions

Information on DPD200259352 Regarding Vulnerability Report of IPP Crypt

jsethi
Beginner
112 Views
IPP v7.0 update 6 contains thefollowing fix:

DPD200259352 Regarding Vulnerability Report of IPP Crypt

I am working in an environment that implements the IPP library, and we are required by compliance regulations to assess all vulnerabilities that affect the environment. Is this a fix that addresses a vulnerability, or is it just related to reporting? If it does address a vulnerability, I have the following questions:

Are the details of the vulnerability public? Is it being exploited?
What is the exploit vector (MITM? remotely exploitable?)
What level of privileges are requried (none required, valid user required)?
0 Kudos
1 Reply
Chao_Y_Intel
Employee
112 Views

Hello,

Actually, the DPD200259352 includes the fixs on:

ippsRSASign_XXX_PKCSv15 handles very long message (msgLen>0x7FFFFFFF bytes). IPP 7.0.6 fixed the bug on such long message.

ippsRSAOAEPEncrypt_XXX function add check on the input parameter check on pLabel=0. When pLabel==0 && labelLen!=0, it is considered as bad parameters.

If these specific cases are not used in the application, it is not effected by that fix.

Thanks,
Chao

Reply