Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2022-39173

Published: 29/09/2022 Updated: 08/08/2023
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 0
Subscribe to Wolfssl

Vulnerability Summary

In wolfSSL prior to 5.5.1, malicious clients can cause a buffer overflow during a TLS 1.3 handshake. This occurs when an attacker supposedly resumes a previous TLS session. During the resumption Client Hello a Hello Retry Request must be triggered. Both Client Hellos are required to contain a list of duplicate cipher suites to trigger the buffer overflow. In total, two Client Hellos have to be sent: one in the resumed session, and a second one as a response to a Hello Retry Request message.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

wolfssl wolfssl

Vendor Advisories

Debian CVElist Bug Report Logs: wolfssl: CVE-2022-38152 CVE-2022-38153 CVE-2022-39173
Debian Bug report logs - #1021021 wolfssl: CVE-2022-38152 CVE-2022-38153 CVE-2022-39173 Package: src:wolfssl; Maintainer for src:wolfssl is Felix Lechner <felixlechner@lease-upcom>; Reported by: Moritz Mühlenhoff <jmm@inutilorg> Date: Fri, 30 Sep 2022 15:03:02 UTC Severity: grave Tags: security, upstream Re ...

Exploits

Exploit DB: wolfSSL Buffer Overflow
In wolfSSL versions prior to 551, malicious clients can cause a buffer overflow during a resumed TLS 13 handshake If an attacker resumes a previous TLS session by sending a maliciously crafted Client Hello, followed by another maliciously crafted Client Hello In total 2 Client Hellos have to be sent One which pretends to resume a previous ses ...

References

CWE-787https://www.wolfssl.com/docs/security-vulnerabilities/https://github.com/wolfSSL/wolfssl/releaseshttp://seclists.org/fulldisclosure/2022/Oct/24http://packetstormsecurity.com/files/169600/wolfSSL-Buffer-Overflow.htmlhttps://blog.trailofbits.com/2023/01/12/wolfssl-vulnerabilities-tlspuffin-fuzzing-ssh/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021021https://nvd.nist.gov
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
validationCVE-2024-34413CVE-2024-34089CVE-2024-33408localSQLCVE-2024-0402CVE-2024-33910CVE-2024-31848
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook