Main Vulnerability Database SB2019122506

SB2019122506 - Multiple vulnerabilities in wolfSSL

Published: December 25, 2019 Updated: August 9, 2020

Security Bulletin ID SB2019122506

Severity

Medium

Patch available

YES

Number of vulnerabilities 3

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2019-19960)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

In wolfSSL before 4.3.0, wc_ecc_mulmod_ex does not properly resist side-channel attacks.

2) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2019-19962)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

wolfSSL before 4.3.0 mishandles calls to wc_SignatureGenerateHash, leading to fault injection in RSA cryptography.

3) Input validation error (CVE-ID: CVE-2019-19963)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

An issue was discovered in wolfSSL before 4.3.0 in a non-default configuration where DSA is enabled. DSA signing uses the BEEA algorithm during modular inversion of the nonce, leading to a side-channel attack against the nonce.

Remediation

Install update from vendor's website.

SB2019122506 - Multiple vulnerabilities in wolfSSL

Breakdown by Severity

Description

Remediation

References