A researcher found a vulnerability in the wolfSSL library that posed a threat to users’ privacy. Exploiting the bug could allow attackers to intercept communications and read data.
wolfSSL Vulnerability Discovered
Reportedly, a security researcher Gérald Doussot found a serious vulnerability in the wolfSSL library. wolfSSL is basically an SSL/TLS library, based on C-language, that aids embedded IoT and RTOS environments.
Describing the details in a blog post, the researcher explained that the vulnerability existed due to the incorrect implementation of the TLS 1.3 client state machine.
Thus, it allowed an adversary to mimic any TLS 1.3 server to read data communicated between wolfSSL library clients.
Explaining the specific issue, the researcher stated,
wolfSSL does not strictly enforce the TLS 1.3 client state machine. Specifically and in case of server certificate authentication, the wolfSSL TLS client state machine accepts a “Finished” message in the “WAIT_CERT_CR” state, just after having processed an “EncryptedExtensions” message. This is incorrect according to RFC 8446. wolfSSL should accept only “CertificateRequest” or “Certificate” messages as valid input to the state machine in the “WAIT_CERT_CR” state.
The researcher discovered the vulnerability in July 2020, following which, they reached out to the vendors.
In response, the vendors developed a fix for this vulnerability that they released with wolfSSL version 4.5.0.
This bug has received CVE number CVE-2020-24613. The researcher has labeled as a high-severity flaw that posed a threat to all wolfSSL library platforms.
Now that a fix is out, the vendors urge all users to upgrade to the latest version of wolfSSL. Elaborating further on the bug in their advisory, they stated,
Users that have applications with client side code and have TLS 1.3 turned on, should update to the latest version of wolfSSL. Users that do not have TLS 1.3 turned on, or that are server side only, are NOT affected by this report.
Besides this vulnerability, the vendors have also included numerous other security fixes as well with this release.
Let us know your thoughts in the comments.