wolfssl: CVE-2022-38152 CVE-2022-38153 CVE-2022-39173

Debian Bug report logs - #1021021
wolfssl: CVE-2022-38152 CVE-2022-38153 CVE-2022-39173

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: submit@bugs.debian.org

Subject: wolfssl: CVE-2022-38152 CVE-2022-38153 CVE-2022-39173

Date: Fri, 30 Sep 2022 16:59:56 +0200

Source: wolfssl
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for wolfssl.

CVE-2022-38152[0]:
| An issue was discovered in wolfSSL before 5.5.0. When a TLS 1.3 client
| connects to a wolfSSL server and SSL_clear is called on its session,
| the server crashes with a segmentation fault. This occurs in the
| second session, which is created through TLS session resumption and
| reuses the initial struct WOLFSSL. If the server reuses the previous
| session structure (struct WOLFSSL) by calling wolfSSL_clear(WOLFSSL*
| ssl) on it, the next received Client Hello (that resumes the previous
| session) crashes the server. Note that this bug is only triggered when
| resuming sessions using TLS session resumption. Only servers that use
| wolfSSL_clear instead of the recommended SSL_free; SSL_new sequence
| are affected. Furthermore, wolfSSL_clear is part of wolfSSL's
| compatibility layer and is not enabled by default. It is not part of
| wolfSSL's native API.

https://github.com/wolfSSL/wolfssl/pull/5468

CVE-2022-38153[1]:
| An issue was discovered in wolfSSL before 5.5.0 (when --enable-
| session-ticket is used); however, only version 5.3.0 is exploitable.
| Man-in-the-middle attackers or a malicious server can crash TLS 1.2
| clients during a handshake. If an attacker injects a large ticket
| (more than 256 bytes) into a NewSessionTicket message in a TLS 1.2
| handshake, and the client has a non-empty session cache, the session
| cache frees a pointer that points to unallocated memory, causing the
| client to crash with a "free(): invalid pointer" message. NOTE: It is
| likely that this is also exploitable during TLS 1.3 handshakes between
| a client and a malicious server. With TLS 1.3, it is not possible to
| exploit this as a man-in-the-middle.

https://github.com/wolfSSL/wolfssl/pull/5476

CVE-2022-39173[2]:
| In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow
| during a TLS 1.3 handshake. This occurs when an attacker supposedly
| resumes a previous TLS session. During the resumption Client Hello a
| Hello Retry Request must be triggered. Both Client Hellos are required
| to contain a list of duplicate cipher suites to trigger the buffer
| overflow. In total, two Client Hellos have to be sent: one in the
| resumed session, and a second one as a response to a Hello Retry
| Request message.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-38152
    https://www.cve.org/CVERecord?id=CVE-2022-38152
[1] https://security-tracker.debian.org/tracker/CVE-2022-38153
    https://www.cve.org/CVERecord?id=CVE-2022-38153
[2] https://security-tracker.debian.org/tracker/CVE-2022-39173
    https://www.cve.org/CVERecord?id=CVE-2022-39173

Please adjust the affected versions in the BTS as needed.

Send a report that this bug log contains spam.