#VU50255 Resource management error in wolfSSL - CVE-2021-3336
Published: January 29, 2021 / Updated: February 16, 2021
Vulnerability identifier: #VU50255
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-3336
CWE-ID: CWE-399
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
wolfSSL
wolfSSL
Software vendor:
wolfSSL
wolfSSL
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the DoTls13CertificateVerify() function in tls13.c in wolfSSL continues to process requests after certain anomalous peer behavior, such as sending an
ED22519, ED448, ECC, or RSA signature without the corresponding
certificate. A remote attacker can abuse this behavior to consume additional system resources and cause denial of service conditions.
Remediation
Install update from vendor's website.