SHA-3 Buffer Overflow

The vulnerability impacts 'the "official" SHA-3 implementation'. How widely used is it for SHA-3 hashing compared to something like OpenSSL?

If you&#x27;re familiar with SHA-256 and this is your first encounter with SHA-3:<p>The main differences between the older SHA-256 of the SHA-2 family of FIPS 180, and the newer SHA3-256 of the SHA-3 family of FIPS 202, are:<p>* Resistance to length extension attacks.<p>* Performance. The SHA-2 functions—particularly SHA-512, SHA-512&#x2F;224, and SHA-512&#x2F;256—generally have higher performance than the SHA-3 functions. Partly this was out of paranoia and political reasons in the SHA-3 design process.<p>Further reading: <a href="https:&#x2F;&#x2F;crypto.stackexchange.com&#x2F;questions&#x2F;68307&#x2F;what-is-the-difference-between-sha-3-and-sha-256" rel="nofollow">https:&#x2F;&#x2F;crypto.stackexchange.com&#x2F;questions&#x2F;68307&#x2F;what-is-the...</a>

&gt; The vulnerable code was released in January 2011, so it took well over a decade for this vulnerability to be found<p>Ouch

It looks pretty difficult to exploit. Untrusted 4GB input with non-chunked update.

Didn&#x27;t they find a vulnerability like this in the official MD5 implementation when they tried to port it to SPARK&#x2F;Ada and the proofs didn&#x27;t work? I wasn&#x27;t able to just find it with web search, but here&#x27;s a release about something similar happening with another one of the SHA3 candidates (Skein), before Keccak was chosen:<p><a href="https:&#x2F;&#x2F;www.adacore.com&#x2F;press&#x2F;spark-skein" rel="nofollow">https:&#x2F;&#x2F;www.adacore.com&#x2F;press&#x2F;spark-skein</a><p>See also: <a href="https:&#x2F;&#x2F;www.adacore.com&#x2F;papers&#x2F;sparkskein" rel="nofollow">https:&#x2F;&#x2F;www.adacore.com&#x2F;papers&#x2F;sparkskein</a>

LibreSSL-based implementations seem unaffected. I can calculate that hash using hashlib without a segfault.

Does this impact most distros? I&#x27;d imagine Python and PHP&#x27;s native crypto bindings would be replaced with OpenSSL which should have assembly variants of SHA-3.

Oh shit. I better check my native Ruby extension that I believe uses the reference C code.

SHA-3 in Ruby:<p><pre><code> $ gem install sha3 $ irb &gt; require &#x27;sha3&#x27; &gt; s = SHA3::Digest::SHA224.new &gt; s.update(&quot;\x00&quot;) &gt; s.update(&quot;\x00&quot; * 4294967295) [ Segmentation fault... ] </code></pre> Tested with Ruby 3.1.2<p>Gem&#x27;s code (including C native extension): <a href="https:&#x2F;&#x2F;github.com&#x2F;johanns&#x2F;sha3" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;johanns&#x2F;sha3</a>

Can someone ELI5 the severity of this over the whole internet? What breaks&#x2F;what not

FYI in the healthcare space to meet ONC Cures Update regulations for bulk patient export, its a requirement to use SHA384 (RS384 or ES384). I would think most implementations will be safe due to the 4GB payload criteria, but if anyone is doing anything funky they&#x27;ll need to look at this closely.

It may be dumb question, but is there any realistic use case to use this vulnerability to reveal SHA-3 hashed secrets? Or is it just that attacker can crash systems with suitable input?

What dows generating preimages mean here? The preimage is the set of all messages that hash to some set of hashes. Is the author saying the the hash function is reversible in reasonable time?

<a href="https:&#x2F;&#x2F;www.xilinx.com&#x2F;products&#x2F;intellectual-property&#x2F;1-1mjenql.html" rel="nofollow">https:&#x2F;&#x2F;www.xilinx.com&#x2F;products&#x2F;intellectual-property&#x2F;1-1mje...</a><p><a href="https:&#x2F;&#x2F;documentation-service.arm.com&#x2F;static&#x2F;62bb3e4bb334256d9ea8d26f" rel="nofollow">https:&#x2F;&#x2F;documentation-service.arm.com&#x2F;static&#x2F;62bb3e4bb334256...</a>

Does Tor use SHA-3?

“I’ve also shown how a specially constructed file can result in arbitrary code execution, ”<p>Ouch, thats not looking good for a reference implementation for a piece of software deployed on billions and billions of machines that was written by experts and reviewed (and modified) by even bigger egg heads.

Interesting they both say &quot;Official Sha3&quot; and &quot;by its designers&quot;, which as I remember it isn&#x27;t that accurate. Keccak was chosen and then NIST added what is affectionately known as the &#x27;mystery padding&#x27; before certification. What we know as official is not the way the designers submitted the proposal.<p>This isn&#x27;t an attempt at a scary accusation, but as a pedant, this got me.<p>For those wondering, here is an explanation by a commenter:<p><pre><code> The padding change is the only difference, this allows future tree hashing modes as well as the current SHAKE outputs to generate different digests given the same security parameters and message inputs. Up to 4 additional bits are added, which keeps the full padding inside a byte boundary, making implementations with octet only input able to switch to SHA-3 from Keccak with change to only a single line of code. </code></pre> <a href="https:&#x2F;&#x2F;crypto.stackexchange.com&#x2F;questions&#x2F;10645&#x2F;are-nists-changes-to-keccak-sha-3-problematic" rel="nofollow">https:&#x2F;&#x2F;crypto.stackexchange.com&#x2F;questions&#x2F;10645&#x2F;are-nists-c...</a><p><a href="https:&#x2F;&#x2F;cdt.org&#x2F;insights&#x2F;what-the-heck-is-going-on-with-nist%E2%80%99s-cryptographic-standard-sha-3&#x2F;" rel="nofollow">https:&#x2F;&#x2F;cdt.org&#x2F;insights&#x2F;what-the-heck-is-going-on-with-nist...</a><p>ketccak team&#x27;s response: <a href="https:&#x2F;&#x2F;keccak.team&#x2F;2013&#x2F;yes_this_is_keccak.html" rel="nofollow">https:&#x2F;&#x2F;keccak.team&#x2F;2013&#x2F;yes_this_is_keccak.html</a>

no bounty and still politely reports it. Good guys need more praise.

Bro what? This is a big deal right?<p>Like NSO Group hacking everyone for the next 5 years deal?

So if we ported this library to rust sha3 seems peachy? No doubt an interesting port but it now seems inevitable.