Vendor: wolfSSL
Vendor URL: https://www.wolfssl.com/
Versions affected: Versions prior to 4.5.0 with TLS 1.3 support enabled
Systems Affected: All wolfSSL library platforms
Author: Gérald Doussot
Advisory URL / CVE Identifier: In Progress
Risk: High

Summary:

wolfSSL is a C-language-based SSL/TLS library targeted at IoT, embedded, and RTOS environments.

wolfSSL incorrectly implements the TLS 1.3 client state machine. This allows attackers in a privileged network position to completely impersonate any TLS 1.3 servers and read or modify potentially sensitive information between clients using the wolfSSL library and these TLS servers.

Location:

In function SanityCheckTls13MsgReceived() of file tls13.c:6925.

Impact:

An attacker in a privileged position can read or modify communications between clients using the wolfSSL library and TLS 1.3 servers.

Details:

In RFC 8446, appendix “A.1. Client” summarizes the legal state transitions for the TLS 1.3 client handshake. wolfSSL does not strictly enforce the TLS 1.3 client state machine. Specifically and in case of server certificate authentication, the wolfSSL TLS client state machine accepts a “Finished” message in the “WAIT_CERT_CR” state, just after having processed an “EncryptedExtensions” message. This is incorrect according to RFC 8446. wolfSSL should accept only “CertificateRequest” or “Certificate” messages as valid input to the state machine in the “WAIT_CERT_CR” state.

This permits attackers in a privileged network position to completely bypass server certificate validation and authentication, therefore allowing them to impersonate any TLS servers to which clients using the wolfSSL library are connecting.

The issue is illustrated below, in function SanityCheckTls13MsgReceived() of file tls13.c:

case finished:
        #ifndef NO_WOLFSSL_CLIENT
            if (ssl->options.side == WOLFSSL_CLIENT_END) {
                if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
                    WOLFSSL_MSG("Finished received out of order");
                    return OUT_OF_ORDER_E;
                }
                if (ssl->options.serverState <
                                         SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) {
                    WOLFSSL_MSG("Finished received out of order");
                    return OUT_OF_ORDER_E;
                }
            }
        #endif

Recommendation:

Users of the wolfSSL library for TLS 1.3 clients should update to the latest version of wolfSSL.

Vendor Communication:

  • 2020-07-27 – NCC Group reached out to vendor to identify appropriate security contact.
  • 2020-07-28 – Vendor security contact emailed NCC Group to begin disclosure dialogue.
  • 2020-07-28 – NCC Group transmitted draft advisory to vendor using the vendor’s communication channel of choice.
  • 2020-07-28 – Vendor provided a fix to test in a public GitHub pull request.
  • 2020-07-28 – NCC Group reported it successfully tested the fix to the vendor.
  • 2020-07-28 – NCC Group requested a joint disclosure date and remediation information for the vendor’s customers.
  • 2020-07-31 – Vendor merged the vulnerability fix to the master branch in GitHub.
  • 2020-07-31 – NCC Group requested an update on a joint disclosure date and customers remediation information.
  • 2020-07-31 – Vendor requested to hold advisory until next wolfSSL stable release, scheduled to be published within two to three weeks.
  • 2020-07-31 – NCC Group asked vendor if releasing an advisory on 2020-08-24 is suitable.
  • 2020-08-03 – NCC Group informed vendor that publishing a release with a fix in a timely manner is important as code changes to the master branch and in the pull request in GitHub are publicly available and can be analyzed to create attacks against wolfSSL users.
  • 2020-08-03 – Vendor confirmed that releasing an advisory on 2020-08-24 is suitable.
  • 2020-08-11 – Vendor informed NCC Group that wolfSSL version 4.5.0 will include a fix for this issue.
  • 2020-08-17 – Vendor released version 4.5.0 with advisory on GitHub.
  • 2020-08-24 – NCC Group published this technical advisory.

Thanks to:

The support team at wolfSSL, Inc and Matthew Brawn, Jennifer Fernick, Eric Schorn and Thomas Pornin from NCC Group for their support during the disclosure process.

About NCC Group:

NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape.

With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate and respond to the risks they face.

We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published