Affected Users:
User of wolfSSL v4.0.0 are affected.
Summary of issue:
wolfSSL 4.0.0 has a Buffer Overflow in DoPreSharedKeys in tls13.c when a current identity size is greater than a client identity size. The identity data field of the PSK extension of the packet contains data beyond the buffer length to be stored in the undefined memory (RAM) of the server. The size of the data is about 65 kB. Attackers could write about 65 kB of data to the RAM space on affected servers.
Recommendation:
Users should upgrade to wolfSSL v4.1.0
Research:
https://nvd.nist.gov/vuln/detail/CVE-2019-11873
Additional details:
Patch for this vulnerability can be viewed here: https://github.com/wolfSSL/wolfssl/pull/2239
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Related Items:
https://www.wolfssl.com/everything-wanted-know-wolfssl-support-handles-vulnerability-reports-afraid-ask/
https://www.wolfssl.com/docs/security-vulnerabilities/
https://github.com/wolfSSL/wolfssl/pull/2353