CVE-2023-37464 Overview
CVE-2023-37464 is a cryptographic vulnerability in OpenIDC/cjose, a C library implementing the Javascript Object Signing and Encryption (JOSE) standard. The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE (JSON Web Encryption) instead of enforcing the fixed length of 16 octets as mandated by the JOSE specification. This implementation flaw allows attackers to provide a truncated Authentication Tag and modify the JWE accordingly, potentially compromising the integrity of encrypted data.
Critical Impact
This vulnerability enables attackers to bypass AES GCM authentication by providing truncated authentication tags, allowing modification of encrypted JWE content without detection.
Affected Products
- Cisco cjose versions prior to 0.6.2.2
- Applications and services using the vulnerable cjose library for JOSE operations
- Systems relying on AES GCM encryption through the cjose library
Discovery Timeline
- July 14, 2023 - CVE-2023-37464 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2023-37464
Vulnerability Analysis
The vulnerability exists in the AES GCM decryption routine within the cjose library. According to IETF RFC 7518 Section 4.7, the Authentication Tag for AES GCM encryption in JOSE must have a fixed length of 16 octets (128 bits). However, the vulnerable implementation incorrectly accepted and processed Authentication Tags of any length provided by the caller.
This deviation from the specification creates a significant integrity weakness. AES GCM uses the Authentication Tag to verify that the ciphertext has not been tampered with. By accepting truncated tags, an attacker can significantly reduce the cryptographic strength of the authentication mechanism. A shorter tag means fewer bits need to match, making it computationally feasible to forge valid-appearing encrypted content.
The impact is primarily on data integrity rather than confidentiality. Attackers cannot directly decrypt data, but they can potentially modify encrypted JWE content and craft authentication tags that pass the weakened validation, leading to acceptance of tampered data by applications relying on cjose for JOSE operations.
Root Cause
The root cause is a failure to validate the Authentication Tag length before processing in the AES GCM decryption function. The specification in RFC 7518 explicitly requires a 16-octet tag length, but the implementation trusted the length of the provided tag without verification. This violates the principle of secure cryptographic implementation where all inputs must be validated against specification requirements before use.
Attack Vector
The attack vector is network-based and does not require authentication or user interaction. An attacker can exploit this vulnerability by:
- Intercepting or crafting a JWE (JSON Web Encryption) token
- Modifying the encrypted content within the JWE
- Providing a truncated Authentication Tag that has a higher probability of being accepted
- Submitting the modified JWE to an application using the vulnerable cjose library
The following patch demonstrates the fix implemented in version 0.6.2.2:
goto _cjose_jwe_decrypt_dat_aes_gcm_fail;
}
+ if (jwe->enc_auth_tag.raw_len != 16)
+ {
+ CJOSE_ERROR(err, CJOSE_ERR_CRYPTO);
+ goto _cjose_jwe_decrypt_dat_aes_gcm_fail;
+ }
+
// set the expected GCM-mode authentication tag
if (EVP_CIPHER_CTX_ctrl(ctx, CJOSE_EVP_CTRL_GCM_SET_TAG, jwe->enc_auth_tag.raw_len, jwe->enc_auth_tag.raw) != 1)
{
Source: GitHub Commit
Detection Methods for CVE-2023-37464
Indicators of Compromise
- JWE tokens with Authentication Tags shorter than 16 octets being processed by applications
- Unexpected changes in decrypted content from JWE tokens
- Application logs showing successful decryption of JWEs with malformed or short authentication tags
- Integrity violations detected at application layer after JWE decryption
Detection Strategies
- Monitor application logs for cryptographic operations involving JWE tokens with non-standard tag lengths
- Implement software composition analysis (SCA) to identify cjose library versions prior to 0.6.2.2
- Audit network traffic for JWE tokens with truncated Authentication Tags (Base64URL-decoded length not equal to 16 bytes)
- Deploy runtime application self-protection (RASP) to detect and block malformed JWE processing
Monitoring Recommendations
- Enable verbose logging for cryptographic operations in applications using JOSE libraries
- Set up alerts for failed authentication tag validation in updated library versions
- Monitor for unusual patterns in JWE token sizes or structures in API traffic
- Implement integrity checking at the application level as an additional validation layer
How to Mitigate CVE-2023-37464
Immediate Actions Required
- Upgrade cjose library to version 0.6.2.2 or later immediately
- Audit all applications and services using the cjose library for JOSE operations
- Review recent JWE operations for potential tampering if exploitation is suspected
- If immediate upgrade is not possible, switch from AES GCM to AES CBC encryption algorithm as a temporary workaround
Patch Information
The vulnerability has been addressed in cjose version 0.6.2.2. The fix adds explicit validation to ensure the Authentication Tag length is exactly 16 octets before processing, in compliance with RFC 7518. Users should upgrade to this version or later. The security patch is available at the GitHub repository.
Additional security advisories and patches have been released by:
Workarounds
- Replace AES GCM encryption with AES CBC encryption algorithm if upgrading is not immediately feasible
- Implement application-level validation of JWE Authentication Tag lengths before passing to cjose
- Add additional integrity verification mechanisms at the application layer
- Consider using alternative JOSE libraries that properly implement RFC 7518 requirements
# Verify cjose version on Linux systems
pkg-config --modversion cjose
# Check for vulnerable package on Debian/Ubuntu
dpkg -l | grep cjose
# Check for vulnerable package on Fedora/RHEL
rpm -qa | grep cjose
# Update on Debian/Ubuntu (after security update available)
sudo apt update && sudo apt upgrade libcjose0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
