Source: wolfssl X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for wolfssl. CVE-2022-38152[0]: | An issue was discovered in wolfSSL before 5.5.0. When a TLS 1.3 client | connects to a wolfSSL server and SSL_clear is called on its session, | the server crashes with a segmentation fault. This occurs in the | second session, which is created through TLS session resumption and | reuses the initial struct WOLFSSL. If the server reuses the previous | session structure (struct WOLFSSL) by calling wolfSSL_clear(WOLFSSL* | ssl) on it, the next received Client Hello (that resumes the previous | session) crashes the server. Note that this bug is only triggered when | resuming sessions using TLS session resumption. Only servers that use | wolfSSL_clear instead of the recommended SSL_free; SSL_new sequence | are affected. Furthermore, wolfSSL_clear is part of wolfSSL's | compatibility layer and is not enabled by default. It is not part of | wolfSSL's native API. https://github.com/wolfSSL/wolfssl/pull/5468 CVE-2022-38153[1]: | An issue was discovered in wolfSSL before 5.5.0 (when --enable- | session-ticket is used); however, only version 5.3.0 is exploitable. | Man-in-the-middle attackers or a malicious server can crash TLS 1.2 | clients during a handshake. If an attacker injects a large ticket | (more than 256 bytes) into a NewSessionTicket message in a TLS 1.2 | handshake, and the client has a non-empty session cache, the session | cache frees a pointer that points to unallocated memory, causing the | client to crash with a "free(): invalid pointer" message. NOTE: It is | likely that this is also exploitable during TLS 1.3 handshakes between | a client and a malicious server. With TLS 1.3, it is not possible to | exploit this as a man-in-the-middle. https://github.com/wolfSSL/wolfssl/pull/5476 CVE-2022-39173[2]: | In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow | during a TLS 1.3 handshake. This occurs when an attacker supposedly | resumes a previous TLS session. During the resumption Client Hello a | Hello Retry Request must be triggered. Both Client Hellos are required | to contain a list of duplicate cipher suites to trigger the buffer | overflow. In total, two Client Hellos have to be sent: one in the | resumed session, and a second one as a response to a Hello Retry | Request message. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-38152 https://www.cve.org/CVERecord?id=CVE-2022-38152 [1] https://security-tracker.debian.org/tracker/CVE-2022-38153 https://www.cve.org/CVERecord?id=CVE-2022-38153 [2] https://security-tracker.debian.org/tracker/CVE-2022-39173 https://www.cve.org/CVERecord?id=CVE-2022-39173 Please adjust the affected versions in the BTS as needed.