Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 3 |
CVE-ID | CVE-2020-12457 CVE-2020-15309 CVE-2020-24585 |
CWE-ID | CWE-835 CWE-310 CWE-399 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
wolfSSL Universal components / Libraries / Libraries used by multiple products |
Vendor | wolfSSL |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
EUVDB-ID: #VU45989
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2020-12457
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The
vulnerability exists due to improper change_cipher_spec (CCS) message
processing logic for TLS 1.3. A remote attacker can send
ChangeCipherSpec messages in a crafted way involving more than one in a
row and perform a denial of service (DoS) attack.
Install updates from vendor's website.
Vulnerable software versionswolfSSL: 4.0 - 4.4.0
Fixed software versionsCPE2.3 External links
http://github.com/wolfSSL/wolfssl/pull/2927
http://github.com/wolfSSL/wolfssl/releases/tag/v4.5.0-stable
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
EUVDB-ID: #VU45988
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2020-15309
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists in wolfSSL when single precision is not employed. A local user can conduct a cache-timing attack against public key operations. These attackers may already have obtained sensitive information if the affected system has been used for private key operations (e.g., signing with a private key).
MitigationInstall updates from vendor's website.
Vulnerable software versionswolfSSL: 4.0 - 4.4.0
Fixed software versionsCPE2.3 External links
http://github.com/wolfSSL/wolfssl/releases/tag/v4.5.0-stable
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
EUVDB-ID: #VU45987
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2020-24585
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources with the application within the DTLS handshake implementation in wolfSSL. Clear DTLS application_data messages in epoch 0 do not produce an out-of-order error. Instead, these messages are returned to the application.
MitigationInstall updates from vendor's website.
Vulnerable software versionswolfSSL: 4.0 - 4.4.0
Fixed software versionsCPE2.3 External links
http://github.com/wolfSSL/wolfssl/pull/3219
http://github.com/wolfSSL/wolfssl/releases/tag/v4.5.0-stable
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?