Vulnerability identifier: #VU50255
Vulnerability risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-399
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
wolfSSL
Universal components / Libraries /
Libraries used by multiple products
Vendor: wolfSSL
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the DoTls13CertificateVerify() function in tls13.c in wolfSSL continues to process requests after certain anomalous peer behavior, such as sending an
ED22519, ED448, ECC, or RSA signature without the corresponding
certificate. A remote attacker can abuse this behavior to consume additional system resources and cause denial of service conditions.
Mitigation
Install update from vendor's website.
Vulnerable software versions
wolfSSL: 2.0.3 - 4.6.0
External links
http://github.com/wolfSSL/wolfssl/pull/3676
http://github.com/wolfSSL/wolfssl/releases/tag/v4.7.0-stable
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.