Vulnerability In wolfSSL Could Allow MiTM Attacks – Patch Available

  •  
  •  
  •  
  • 1
  •  
  •  
  •  
    1
    Share

A researcher found a vulnerability in the wolfSSL library that posed a threat to users’ privacy. Exploiting the bug could allow attackers to intercept communications and read data.

wolfSSL Vulnerability Discovered

Reportedly, a security researcher Gérald Doussot found a serious vulnerability in the wolfSSL library. wolfSSL is basically an SSL/TLS library, based on C-language, that aids embedded IoT and RTOS environments.

Describing the details in a blog post, the researcher explained that the vulnerability existed due to the incorrect implementation of the TLS 1.3 client state machine.

Thus, it allowed an adversary to mimic any TLS 1.3 server to read data communicated between wolfSSL library clients.

Explaining the specific issue, the researcher stated,

wolfSSL does not strictly enforce the TLS 1.3 client state machine. Specifically and in case of server certificate authentication, the wolfSSL TLS client state machine accepts a “Finished” message in the “WAIT_CERT_CR” state, just after having processed an “EncryptedExtensions” message. This is incorrect according to RFC 8446. wolfSSL should accept only “CertificateRequest” or “Certificate” messages as valid input to the state machine in the “WAIT_CERT_CR” state.

Patch Released

The researcher discovered the vulnerability in July 2020, following which, they reached out to the vendors.

In response, the vendors developed a fix for this vulnerability that they released with wolfSSL version 4.5.0.

This bug has received CVE number CVE-2020-24613. The researcher has labeled as a high-severity flaw that posed a threat to all wolfSSL library platforms.

Now that a fix is out, the vendors urge all users to upgrade to the latest version of wolfSSL. Elaborating further on the bug in their advisory, they stated,

Users that have applications with client side code and have TLS 1.3 turned on, should update to the latest version of wolfSSL. Users that do not have TLS 1.3 turned on, or that are server side only, are NOT affected by this report.

Besides this vulnerability, the vendors have also included numerous other security fixes as well with this release.

Let us know your thoughts in the comments.

The following two tabs change content below.

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

2 thoughts on “Vulnerability In wolfSSL Could Allow MiTM Attacks – Patch Available

  • September 1, 2020 at 12:20 pm
    Permalink

    upgrade ASAP

  • September 1, 2020 at 12:02 pm
    Permalink

    I wonder how many people are using it

Comments are closed.

Do NOT follow this link or you will be banned from the site!