WOLFSSL SECURITY VULNERABILITIES

This page lists known vulnerabilities for the wolfSSL embedded SSL/TLS library, wolfCrypt embedded crypto engine, and other wolfSSL products. Each vulnerability is linked to the description and CVE if available. Please contact us with any questions or concerns.

Known Vulnerabilities

The SSL protocol, along with the more recent TLS 1.2 protocol, are both well documented and under constant scrutiny by the top experts in security and cryptography. SSL was quickly adopted as a standard world wide. SSL and TLS together secure communications between billions of computers, servers, Internet of Things (IoT) devices, and embedded systems. The security provided by an SSL/TLS Library depends on the underlying strength of its cryptography which is used to encrypt communications.

INFO CVE ID SEVERITY DESCRIPTION TIME TO FIX FIXED IN VERSION
LINK N/A Low In wolfSSL versions prior to 4.2.0, there is a potential program hang when ocspstapling2 is enabled. This is a moderate level fix that affects users who have ocspstapling2 enabled(off by default) and are on the server side. In parsing a CSR2 (Certificate Status Request v2 ) on the server side, there was the potential for a malformed extension to cause a program hang. Discovered by Robert Hoerr. 5 days 4.2.0
LINK CVE-2019-16748 High In wolfSSL through 4.1.0, there is a missing sanity check of memory accesses in parsing ASN.1 certificate data while handshaking. Specifically, there is a one-byte heap-based buffer over-read in CheckCertSignature_ex in wolfcrypt/src/asn.c. 1 days 4.2.0
LINK CVE-2019-15651 High wolfSSL 4.1.0 has a one-byte heap-based buffer over-read in DecodeCertExtensions in wolfcrypt/src/asn.c because reading the ASN_BOOLEAN byte is mishandled for a crafted DER certificate in GetLength_ex. 1 days 4.2.0
LINK N/A Low wolfSSL versions before 4.2.0 have potential for an invalid read when TLS 1.3 and pre-shared keys is enabled. Users without TLS 1.3 enabled are unaffected. Users with TLS 1.3 enabled and HAVE_SESSION_TICKET defined or NO_PSK not defined should update wolfSSL versions. Discovered by Robert Hoerr. 0 days 4.2.0
LINK CVE-2019-14317 Low Versions of wolfSSL before 4.2.0 are vulnerable to DSA operations involving an attack on recovering DSA private keys. This affects users that have DSA enabled and are performing DSA operations (off by default). ECDSA is NOT affected by this and TLS code is NOT affected by this issue. Discovered by Ján Jan?ár at Masaryk University. 0 days 4.2.0
LINK CVE-2019-13628 Medium Versions of wolfSSL before 4.1.0 are vulnerable to the potential leak of nonce sizes when performing ECDSA signing operations. The leak is considered to be difficult to exploit but it could potentially be used maliciously to perform a lattice based timing attack against previous wolfSSL versions. Discovered by Ján Jan?ár at Masaryk University. 5 days 4.1.0
LINK CVE-2019-11873 High In wolfSSL version 4.0.0, there is a potential buffer overflow case with the TLSv1.3 PSK extension parsing. This affects users that are enabling TLSv1.3 (--enable-tls13). Discovered by Robert Hoerr. 0 days 4.1.0
LINK CVE-2018-16870 Medium Versions of wolfSSL prior to 3.15.7 are vulnerable to a new variant of the Bleichenbacher attack to perform downgrade attacks against TLS, which may lead to leakage of sensible data. 0 days 3.15.7
LINK CVE-2018-12436 Medium Versions of wolfSSL up to and including 3.15.0 are vulnerable to a Key Extraction Side Channel Attack. A patch (wolfssl-3.15.1.patch) is available for download now on our website and a full release will be available next week containing the patch. 0 days 3.15.3
LINK CVE-2017-13099 Medium Versions of wolfSSL up to 3.12.2 have a weak Bleichenbacher vulnerability with suites that use an RSA-encrypted premaster secret. Discovered by Hanno Böck, Juraj Somorovsky, Craig Young. 9 days 3.13.0
LINK CVE-2017-2800 Critical Versions of wolfSSL before 3.11.0 have a possible out-of-bounds write by one from a crafted certificate being passed to the function wolfSSL_X509_NAME_get_text_by_NID. Discovered by Aleksandar Nikolic of Cisco Talos. Fixed 20 days prior to CVE issuance 3.11.0
LINK CVE-2017-8855 High In versions of wolfSSL before 3.11.0 there are cases where a malformed DH key is not rejected by the function wc_DhAgree. Thanks to Yueh-Hsun Lin and Peng Li at KNOX Security at Samsung Research America. Fixed 5 days prior to CVE issuance 3.11.0
LINK CVE-2017-8854 High Versions of wolfSSL before 3.10.2 have a possible out-of-bounds memory access when loading crafted DH parameters. Thanks to Yueh-Hsun Lin and Peng Li at KNOX Security at Samsung Research America. Fixed 88 days prior to CVE issuance 3.10.2
LINK CVE-2017-6076 Medium In versions of wolfSSL before 3.10.2 the software implementation makes it easier to extract RSA key information for a malicious user who has access to view the cache on a machine. Fixed 13 days prior to CVE issuance 3.10.2
LINK CVE-2016-7440 Medium Software AES table lookups do not properly consider cache-bank access times Fixed 81 days prior to CVE issuance 3.9.10
LINK CVE-2016-7439 Medium Software RSA does not properly consider cache-bank monitoring Fixed 81 days prior to CVE issuance 3.9.10
LINK CVE-2016-7438 Medium Software ECC does not properly consider cache-bank monitoring Fixed 81 days prior to CVE issuance 3.9.10
LINK CVE-2015-6925 High Potential DOS attack when using DTLS on the server side Fixed 127 days prior to CVE issuance 3.6.8
LINK CVE-2015-7744 Medium TLS servers using RSA with ephemeral keys may leak key bits on signature faults Fixed 127 days prior to CVE issuance 3.6.8
LINK CVE-2014-2903 Medium Server certificate not authorized for use in SSL/TLS handshake. CyaSSL does not check the key usage extension in leaf certificates. Fixed 13 days prior to issuance 2.9.4
LINK CVE-2014-2900 Medium Unknown critical certificate extension allowed Fixed 13 days prior to issuance 2.9.4
LINK CVE-2014-2899 Medium NULL pointer dereference on peer cert request after certificate parsing failure Fixed 13 days prior to issuance 2.9.4
LINK CVE-2014-2898 Low Out of bounds read on repeated calls to CyaSSL_read(), memory access error. Fixed 13 days prior to issuance 2.9.4
LINK CVE-2014-2897 High Out of bounds read, SSL 3.0 HMAC doesn't check padding length for verify failure Fixed 13 days prior to issuance 2.9.4
LINK CVE-2014-2896 N/A Memory corruption, possible out of bounds read on length check in DoAlert() Fixed 13 days prior to issuance 2.9.4

Known Attacks

As researchers and security professionals release new attacks against SSL/TLS protocol versions, algorithms, or cryptographic modes, we want to keep our users informed if wolfSSL is vulnerable or safe to such attacks.

DATE NAME SEVERITY WOLFSSL AFFECTED ADDRESSED
12.08.2017 The ROBOT Attack Medium YES YES
08.24.2016 SWEET32 Attack TLS & SSH - High
OpenVPN - Medium
YES YES
03.01.2016 DROWN Attack Medium NO N/A
01.07.2016 SLOTH Attack Medium NO N/A
08.11.2015 Pandora's Box Attack N/A NO N/A
07.09.2015 Logjam Attack Critical NO N/A
03.30.2015 Bar Mitzvah Attack Medium YES YES
03.04.2015 FREAK Attack Medium for all implementations YES N/A
12.12.2014 POODLE Bites Again Medium NO N/A
10.14.2014 POODLE: Padding Oracle On Downgraded Legacy Encryption Medium YES YES
04.09.2014 Heartbleed Bug Medium NO N/A
02.05.2014 Lucky 13 Attack Low YES YES
09.24.2012 CRIME Attack Low YES YES
05.13.2011 BEAST Attack Medium YES YES

Contact Us

Email: facts@wolfssl.com
Phone: +1 (425) 245-8247