CVE-2023-6129 Overview
CVE-2023-6129 is a memory corruption vulnerability in the POLY1305 MAC (message authentication code) implementation within OpenSSL that affects applications running on PowerPC CPU-based platforms with vector instruction support. The vulnerability causes internal application state corruption due to improper handling of vector registers, potentially leading to denial of service or, in worst-case scenarios, complete application compromise.
Critical Impact
Applications using OpenSSL's POLY1305 MAC implementation on PowerPC processors supporting PowerISA 2.07 instructions may experience memory corruption, incorrect calculations, crashes, or potential remote code execution when processing TLS 1.2/1.3 connections using CHACHA20-POLY1305 cipher.
Affected Products
- OpenSSL versions prior to patched releases on PowerPC platforms
- OpenSSL 3.2.0 and earlier versions with PowerISA 2.07 vector instruction support
- TLS server applications using CHACHA20-POLY1305 AEAD cipher on PowerPC
Discovery Timeline
- 2024-01-09 - CVE CVE-2023-6129 published to NVD
- 2025-06-20 - Last updated in NVD database
Technical Details for CVE-2023-6129
Vulnerability Analysis
The vulnerability resides in the poly1305-ppc.pl assembly implementation within OpenSSL's cryptographic library. When the POLY1305 MAC algorithm executes on PowerPC processors with vector instruction capabilities (PowerISA 2.07), the implementation incorrectly restores vector register contents in a different order than they were saved.
This register ordering mismatch causes corruption of non-volatile XMM vector registers when the function returns to the caller. The consequences depend heavily on how the calling application uses these registers. If the compiler uses vector registers for storing pointers, an attacker could potentially achieve complete control of the application process. More commonly, the corruption results in incorrect calculation results or application crashes leading to denial of service.
The vulnerable code path is triggered when CHACHA20-POLY1305 AEAD cipher is negotiated during TLS 1.2 or TLS 1.3 handshakes. A malicious client connecting to a vulnerable TLS server can influence cipher selection to force use of the affected code path, making this vulnerability remotely exploitable in server scenarios.
Root Cause
The root cause is an off-by-one error in the vector register frame allocation within the PowerPC assembly implementation. The code allocated space for 13 vector registers (13*16 bytes) but only 12 registers (v20-v31) needed to be saved and restored. This mismatch caused the save and restore operations to operate on misaligned memory regions, corrupting register contents when control returned to the calling function.
Attack Vector
The attack can be initiated remotely over a network connection. An attacker can exploit this vulnerability by:
- Establishing a TLS connection to a vulnerable server running on PowerPC hardware
- During the TLS handshake, negotiating the CHACHA20-POLY1305 cipher suite
- The server's OpenSSL implementation invokes the vulnerable POLY1305 MAC code
- Vector registers become corrupted upon function return
- Subsequent server operations may produce incorrect results, crash, or in specific conditions allow further exploitation
The vulnerability requires the target system to be running on PowerPC architecture with PowerISA 2.07 vector instruction support, limiting the attack surface to this specific platform.
# Security patch in crypto/poly1305/asm/poly1305-ppc.pl
# Fix: Correct vector register frame size allocation
my $LOCALS= 6*$SIZE_T;
my $VSXFRAME = $LOCALS + 6*$SIZE_T;
$VSXFRAME += 128; # local variables
- $VSXFRAME += 13*16; # v20-v31 offload
+ $VSXFRAME += 12*16; # v20-v31 offload
my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0;
Source: GitHub OpenSSL Commit 050d263
Detection Methods for CVE-2023-6129
Indicators of Compromise
- Unexpected application crashes on PowerPC servers running OpenSSL-based TLS services
- Incorrect cryptographic calculation results or data corruption in applications using POLY1305 MAC
- Unusual TLS cipher suite negotiation patterns favoring CHACHA20-POLY1305
- Memory corruption artifacts in application logs or core dumps from PowerPC systems
Detection Strategies
- Inventory all PowerPC-based systems running OpenSSL and identify versions prior to the security patches
- Monitor TLS handshake logs for unusual cipher suite negotiation patterns targeting CHACHA20-POLY1305
- Implement application-level monitoring for unexpected crashes or segmentation faults on PowerPC servers
- Use vulnerability scanners to identify unpatched OpenSSL installations on PowerPC infrastructure
Monitoring Recommendations
- Enable detailed TLS handshake logging to track cipher suite negotiations
- Configure crash dump collection and analysis for applications using OpenSSL on PowerPC platforms
- Implement runtime application monitoring to detect memory corruption indicators
- Set up alerts for abnormal application restart patterns on affected infrastructure
How to Mitigate CVE-2023-6129
Immediate Actions Required
- Update OpenSSL to the latest patched version appropriate for your deployment
- On affected PowerPC systems, consider temporarily disabling CHACHA20-POLY1305 cipher suites until patches are applied
- Audit TLS configurations to understand exposure and prioritize patching based on risk
- Review downstream applications and dependencies that may bundle vulnerable OpenSSL versions
Patch Information
OpenSSL has released security patches addressing this vulnerability. The fix corrects the vector register frame size allocation in the poly1305-ppc.pl assembly file, changing the offload space from 13*16 to 12*16 bytes to properly align with the 12 vector registers (v20-v31) being saved and restored.
Patches are available via the following commits:
For detailed information, see the OpenSSL Security Advisory January 2024.
Workarounds
- Disable CHACHA20-POLY1305 cipher suites in TLS configurations as a temporary mitigation
- Configure TLS servers to prefer alternative cipher suites such as AES-GCM until patching is complete
- On systems where patching is not immediately possible, consider restricting network access to affected services
# Example OpenSSL cipher configuration to disable CHACHA20-POLY1305
# For Apache configuration (ssl.conf)
SSLCipherSuite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:!CHACHA20"
# For Nginx configuration
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:!CHACHA20';
# Verify OpenSSL version
openssl version -a
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
