what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

wolfSSL Session Resumption Denial Of Service

wolfSSL Session Resumption Denial Of Service
Posted Jan 20, 2023
Authored by Maximilian Ammann

wolfSSL versions prior to 5.5.0 suffer from a denial of service condition related to session resumption. When a TLS 1.3 client connects to a wolfSSL server and SSL_clear is called on its session, the server crashes with a segmentation fault. The bug occurs after a client performs a handshake against a wolfSSL server and then closes the connection. If the server reuses the previous session structure (struct WOLFSSL) by calling wolfSSL_clear(WOLFSSL* ssl) on it, the next received Client Hello, which resumes the previous session, crashes the server. Note, that this bug only exists in resumed handshakes using TLS session resumption. This bug was discovered using the novel symbolic-model-guided fuzzer tlspuffin.

tags | advisory, denial of service, fuzzer
advisories | CVE-2022-38152
SHA-256 | 1b9325efbf39604c8462f0298d0d79f674ddf2937457ea4559d7da387dd41a30

wolfSSL Session Resumption Denial Of Service

Change Mirror Download
# wolfSSL before 5.5.0: Denial-of-service with session resumption
=================================================================

## INFO
=======

The CVE project has assigned the id CVE-2022-38152 to this issue.

Severity: 7.5 HIGH
Affected version: before 5.5.0
End of embargo: Ended August 30, 2022

## SUMMARY
==========

When a TLS 1.3 client connects to a wolfSSL server and SSL_clear is called on
its session, the server crashes with a segmentation fault. The bug occurs after
a client performs a handshake against a wolfSSL server and then closes the
connection. If the server reuses the previous session structure (struct WOLFSSL)
by calling wolfSSL_clear(WOLFSSL* ssl) on it, the next received Client Hello,
which resumes the previous session, crashes the server. Note, that this bug only
exists in resumed handshakes using TLS session resumption. This bug was
discovered using the novel symbolic-model-guided fuzzer tlspuffin.

## DETAILS
==========

Line numbers below are valid for the wolfSSL Git tag v5.4.0-stable. The
vulnerability is exploitable with default compilation flags. If the
--enable-postauth flag is used, then this bug is no longer exploitable. When
creating a new TLS session (represented by a struct WOLFSSL), a struct called
arrays is allocated in internal.c:6652.

```
int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
{
...
ssl->arrays = (Arrays*)XMALLOC(sizeof(Arrays), ssl->heap,
DYNAMIC_TYPE_ARRAYS);
...
}
```

Note that this function is only called when creating a new session structure
using wolfSSL_new. After a handshake is done, resources related to it are freed
by default using the FreeHandshakeResources function in line ssl.c:3735. This
frees the memory behind ssl->arrays and sets the pointer to NULL.

```
void FreeHandshakeResources(WOLFSSL* ssl)
{
...
if (!ssl->options.tls1_3)
FreeArrays(ssl)
...
}

void FreeArrays(WOLFSSL* ssl)
{
...
ssl->arrays = NULL;
}
```

If the compile flag --enable-postauth is not set, the variable options.tls1_3 is
false, and therefore the arrays are freed. If --enable-postauth is set, then the
arrays are not freed. The above code is executed during the handshake of a fresh
session. Users of wolfSSL might not allocate a new session by using
wolfSSL_new(), but reuse a previous struct WOLFSSL. This can be done by calling
wolfSSL_clear(WOLFSSL* ssl) on the previous session and reusing the struct. The
next abbreviated handshake, which resumes the previous connection, will now
cause a segmentation fault in tls13.c:5296. The segmentation fault occurs
because the arrays pointer still points to NULL as InitSSL is not called before
the Client Hello is handled.

## AFFECTED VERSIONS
====================

wolfSSL 5.3.0 and 5.4.0 are affected The server needs to handle sessions in a
non-default way by using wolfSSL_clear

## SUGGESTED REMEDIATION
========================

After a session has been cleared and is reused for the next client, it should be
reinitialized.

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close