Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2023-6937

Published: 15/02/2024 Updated: 15/02/2024

Vulnerability Summary

wolfSSL before 5.6.6 did not check that messages in one (D)TLS record do not span key boundaries. As a result, it was possible to combine (D)TLS messages using different keys into one (D)TLS record. The most extreme edge case is that, in (D)TLS 1.3, it was possible that an unencrypted (D)TLS 1.3 record from the server containing first a ServerHello message and then the rest of the first server flight would be accepted by a wolfSSL client. In (D)TLS 1.3 the handshake is encrypted after the ServerHello but a wolfSSL client would accept an unencrypted flight from the server. This does not compromise key negotiation and authentication so it is assigned a low severity rating.

Vendor Advisories

Debian CVElist Bug Report Logs: wolfssl: CVE-2023-6935 CVE-2023-6936 CVE-2023-6937
Debian Bug report logs - #1059357 wolfssl: CVE-2023-6935 CVE-2023-6936 CVE-2023-6937 Package: src:wolfssl; Maintainer for src:wolfssl is Jacob Barthelmeh <sirkilamole@msncom>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 23 Dec 2023 12:51:01 UTC Severity: important Tags: security, upstream Found ...

Github Repositories

https://github.com/wolfSSL/Arduino-wolfSSL

This repository is a restructured copy of https://github.com/wolfSSL/wolfssl/ for the Arduino environment. Any Pull Requests for code changes should be opened there.

Arduino wolfSSL Library The library is modified from wolfSSL Release 566 for the Arduino platform wolfSSL Embedded SSL/TLS Library The wolfSSL embedded SSL library (formerly CyaSSL) is a lightweight SSL/TLS library written in ANSI C and targeted for embedded, RTOS, and resource-constrained environments - primarily because of its small size, speed, and feature set It is com

https://github.com/wolfSSL/wolfssl

The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3!

wolfSSL Embedded SSL/TLS Library The wolfSSL embedded SSL library (formerly CyaSSL) is a lightweight SSL/TLS library written in ANSI C and targeted for embedded, RTOS, and resource-constrained environments - primarily because of its small size, speed, and feature set It is commonly used in standard operating environments as well because of its royalty-free pricing and excelle

References

https://github.com/wolfSSL/wolfssl/pull/7029https://www.wolfssl.com/docs/security-vulnerabilities/https://nvd.nist.govhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059357https://github.com/wolfSSL/Arduino-wolfSSL
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2020-4463CVE-2024-3400deserializationCVE-2024-21788CVE-2023-42433CVE-2024-21841CVE-2024-22095local file inclusionmemory leak
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook