Security features bypass in wolfSSL

#VU65123 Security features bypass in wolfSSL

Published: 2022-07-12

Vulnerability identifier: #VU65123

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-34293

CWE-ID: CWE-254

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
wolfSSL
Universal components / Libraries / Libraries used by multiple products

Vendor: wolfSSL

Description

The vulnerability allows a remote attacker to perform DoS attack.

The vulnerability exists due to an implementation error in DTLS 1.0/1.2, which causes the return-routability check, intended to protect application against DoS attacks, to be wrongly skipped in a specific edge case. A remote attacker can perform a denial of service (DoS) attack by consuming excessive resources on the server.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

wolfSSL: 2.0.3 - 5.3.0

External links
http://github.com/wolfSSL/wolfssl/releases/tag/v5.4.0-stable

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in wolfSSL