#VU41116 Input validation error in wolfSSL


Published: 2019-12-25 | Updated: 2020-08-09

Vulnerability identifier: #VU41116

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19960

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
wolfSSL
Universal components / Libraries / Libraries used by multiple products

Vendor: wolfSSL

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

In wolfSSL before 4.3.0, wc_ecc_mulmod_ex does not properly resist side-channel attacks.

Mitigation
Install update from vendor's website.

Vulnerable software versions

wolfSSL: 4.0 - 4.1.0

External links
http://github.com/wolfSSL/wolfssl/commit/5ee9f9c7a23f8ed093fe1e42bc540727e96cebb8
http://github.com/wolfSSL/wolfssl/releases/tag/v4.3.0-stable

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in wolfSSL