WOLFSSL SECURITY VULNERABILITIES
This page lists known vulnerabilities for the wolfSSL embedded SSL/TLS library, wolfCrypt embedded crypto engine, and other wolfSSL products. Each vulnerability is linked to the description and CVE if available. Please contact us with any questions or concerns.
Known Vulnerabilities
The SSL protocol, along with the more recent TLS 1.2 protocol, are both well documented and under constant scrutiny by the top experts in security and cryptography. SSL was quickly adopted as a standard world wide. SSL and TLS together secure communications between billions of computers, servers, Internet of Things (IoT) devices, and embedded systems. The security provided by an SSL/TLS Library depends on the underlying strength of its cryptography which is used to encrypt communications.
| INFO | CVE ID | SEVERITY | DESCRIPTION | TIME TO FIX | FIXED IN VERSION |
|---|---|---|---|---|---|
| LINK | N/A | High | OCSP verification issue when response is for a certificate with no relation to the chain in question BUT that response contains the NoCheck extension which effectively disables ALL verification of that one cert. Users who should upgrade to 4.8.1 are TLS client users doing OCSP, TLS server users doing mutual auth with OCSP, and CertManager users doing OCSP independent of TLS. Thanks to Jan Nauber, Marco Smeets, Werner Rueschenbaum and Alissa Kim for the report. | 8 days | 4.8.1 |
| LINK | N/A | Low | OCSP request/response verification issue. In the case that the serial number in the OCSP request differs from the serial number in the OCSP response the error from the comparison was not resulting in a failed verification. We recommend users that have wolfSSL version 4.6.0 and 4.7.0 with OCSP enabled update their version of wolfSSL. Version 4.5.0 and earlier are not affected by this report. Thanks to Rainer, Roee, Barak, Hila and Shoshi (from Cymotive and CARIAD) for the report. | 2 days | 4.8.0 |
| LINK | CVE-2021-3336 | High | In earlier versions of wolfSSL there exists a potential man in the middle attack on TLS 1.3 clients. Malicious attackers with a privileged network position can impersonate TLS 1.3 servers and bypass authentication. Users that have applications with client side code and have TLS 1.3 turned on, should update to the latest version of wolfSSL. Users that do not have TLS 1.3 turned on, or that are server side only, are NOT affected by this report. For the code change see https://github.com/wolfSSL/wolfssl/pull/3676. Thanks to Aina Toky Rasoamanana and Olivier Levillain from Télécom SudParis for the report. | Fixed 12 days prior to CVE issuance | 4.7.0 |
| LINK | N/A | Low | In the case of using custom ECC curves there is the potential for a crafted compressed ECC key that has a custom prime value to cause a hang when imported. This only affects applications that are loading in ECC keys with wolfSSL builds that have compressed ECC keys and custom ECC curves enabled. | 1 day | 4.7.0 |
| LINK | N/A | Low | With TLS 1.3 authenticated-only ciphers a section of the server hello could contain 16 bytes of uninitialized data when sent to the connected peer. This affects only a specific build of wolfSSL with TLS 1.3 early data enabled and using authenticated-only ciphers with TLS 1.3. | 12 days | 4.7.0 |
| LINK | CVE-2021-24116 | Low | Side-Channel cache look up vulnerability in base64 PEM decoding for versions of wolfSSL 4.5.0 and earlier. Versions 4.6.0 and up contain a fix and do not need to be updated for this report. If decoding a PEM format private key using version 4.5.0 and older of wolfSSL then we recommend updating the version of wolfSSL used. Thanks to Florian Sieck, Jan Wichelmann, Sebastian Berndt and Thomas Eisenbarth for the report. | Fixed 7 months prior to CVE issuance | 4.6.0 |
| LINK | CVE-2020-24613 | High | In wolfSSL versions prior to 4.5.0 there exists a potential man in the middle attack on TLS 1.3 clients. Malicious attackers with a privileged network position can impersonate TLS 1.3 servers and bypass authentication. Users that have applications with client side code and have TLS 1.3 turned on, should update to the latest version of wolfSSL. Users that do not have TLS 1.3 turned on, or that are server side only, are NOT affected by this report. Thanks to Gerald Doussot from NCC group for the report. | 2 days | 4.5.0 |
| LINK | CVE-2020-12457 | Low | In wolfSSL versions prior to 4.5.0, a denial of service attack on TLS 1.3 servers from repetitively sending ChangeCipherSpecs messages is possible. This denial of service results from the relatively low effort of sending a ChangeCipherSpecs message versus the effort of the server to process that message. Users with TLS 1.3 servers are recommended to update to the most recent version of wolfSSL which limits the number of TLS 1.3 ChangeCipherSpecs that can be received in order to avoid this DoS attack. CVE-2020-12457 was reserved for the report. Thanks to Lenny Wang of Tencent Security Xuanwu LAB. |
Fixed 114 days prior to CVE issuance | 4.5.0 |
| LINK | CVE-2020-15309 | Low | wolfSSL versions prior to 4.5.0 included a potential cache timing attack on public key operations in builds that are not using SP (single precision). Users that have a system where malicious agents could execute code on the system, are not using the SP build with wolfSSL, and are doing private key operations on the system (such as signing with a private key) are recommended to regenerate private keys and update to the most recent version of wolfSSL. CVE-2020-15309 is reserved for this issue. Thanks to Ida Bruhns from Universität zu Lübeck for the report. |
Fixed 57 days prior to CVE issuance | 4.5.0 |
| LINK | N/A | Low | In wolfSSL versions prior to 4.5.0, when using SGX with EC scalar multiplication the possibility of side-channel attacks are present. To mitigate the risk of side channel attacks wolfSSL’s single precision EC operations should be used instead. Release 4.5.0 turns this on be default now with SGX builds and in previous versions of wolfSSL this can be turned on by using the WOLFSSL_SP macros. Thank you to Alejandro Cabrera Aldaya, Cesar Pereida García and Billy Bob Brumley from the Network and Information Security Group (NISEC) at Tampere University for the report. | 1 day | 4.5.0 |
| LINK | N/A | High | wolfSSL versions prior to 4.5.0 may leak the private key in the case that PEM format private keys are bundled in with PEM certificates into a single file. This is due to the misclassification of certificate type versus private key type when parsing through the PEM file. To be affected, wolfSSL would need to have been built with OPENSSL_EXTRA (--enable-opensslextra). Some build variants such as --enable-all and --enable-opensslall also turn on this code path, checking wolfssl/options.h for OPENSSL_EXTRA will show if the macro was used with the build. If having built with the opensslextra enable option and having placed PEM certificates with PEM private keys in the same file when loading up the certificate file, then we recommend updating wolfSSL for this use case and also recommend regenerating any private keys in the file. |
1 day | 4.5.0 |
| LINK | N/A | Low | In wolfSSL versions prior to 4.5.0, during the handshake, clear application_data messages in epoch 0 are processed and returned to the application. Fixed by dropping received application_data messages in epoch 0. Thank you to Paul Fiterau of Uppsala University and Robert Merget of Ruhr-University Bochum for the report. | 0 days | 4.5.0 |
| LINK | CVE-2020-11713 | Low | wolfSSL versions prior to 4.4.0 have mulmod code in wc_ecc_mulmod_ex in ecc.c that does not properly resist timing side-channel attacks. Version 4.4.0 fixes this to be constant time and cache resistant. Thank you to Pietro Borrello at Sapienza University of Rome. | Fixed 4 days prior to CVE issuance | 4.4.0 |
| LINK | CVE-2020-11735 | Low | wolfSSL versions prior to 4.4.0 using fast math do not use a constant-time modular inverse when mapping to affine coordinates. Version 4.4.0 uses a constant time modular inverse when mapping to affine when operation involves a private key - keygen, calc shared secret, sign. Thank you to Alejandro Cabrera Aldaya, Cesar Pereida García and Billy Bob Brumley from the Network and Information Security Group (NISEC) at Tampere University for the report. | Fixed 36 days prior to CVE issuance | 4.4.0 |
| CVE-2019-18840 | High | In wolfSSL 4.1.0 through 4.2.0c, there are missing sanity checks of memory accesses in parsing ASN.1 certificate data while handshaking. Specifically, there is a one-byte heap-based buffer overflow inside the DecodedCert structure in GetName in wolfcrypt/src/asn.c because the domain name location index is mishandled. Because a pointer is overwritten, there is an invalid free | 0 days | 4.3.0 | |
| LINK | N/A | Low | In wolfSSL versions prior to 4.2.0, there is a potential program hang when ocspstapling2 is enabled. This is a moderate level fix that affects users who have ocspstapling2 enabled(off by default) and are on the server side. In parsing a CSR2 (Certificate Status Request v2 ) on the server side, there was the potential for a malformed extension to cause a program hang. Discovered by Robert Hoerr. | 5 days | 4.2.0 |
| LINK | CVE-2019-16748 | High | In wolfSSL through 4.1.0, there is a missing sanity check of memory accesses in parsing ASN.1 certificate data while handshaking. Specifically, there is a one-byte heap-based buffer over-read in CheckCertSignature_ex in wolfcrypt/src/asn.c. | 1 days | 4.2.0 |
| LINK | CVE-2019-15651 | High | wolfSSL 4.1.0 has a one-byte heap-based buffer over-read in DecodeCertExtensions in wolfcrypt/src/asn.c because reading the ASN_BOOLEAN byte is mishandled for a crafted DER certificate in GetLength_ex. | 1 days | 4.2.0 |
| LINK | N/A | Low | wolfSSL versions before 4.2.0 have potential for an invalid read when TLS 1.3 and pre-shared keys is enabled. Users without TLS 1.3 enabled are unaffected. Users with TLS 1.3 enabled and HAVE_SESSION_TICKET defined or NO_PSK not defined should update wolfSSL versions. Discovered by Robert Hoerr. | 0 days | 4.2.0 |
| LINK | CVE-2019-14317 | Low | Versions of wolfSSL before 4.2.0 are vulnerable to DSA operations involving an attack on recovering DSA private keys. This affects users that have DSA enabled and are performing DSA operations (off by default). ECDSA is NOT affected by this and TLS code is NOT affected by this issue. Discovered by Ján Jančár at Masaryk University. | 0 days | 4.2.0 |
| LINK | CVE-2019-13628 | Medium | Versions of wolfSSL before 4.1.0 are vulnerable to the potential leak of nonce sizes when performing ECDSA signing operations. The leak is considered to be difficult to exploit but it could potentially be used maliciously to perform a lattice based timing attack against previous wolfSSL versions. Discovered by Ján Jančár at Masaryk University. | 5 days | 4.1.0 |
| LINK | CVE-2019-11873 | High | In wolfSSL version 4.0.0, there is a potential buffer overflow case with the TLSv1.3 PSK extension parsing. This affects users that are enabling TLSv1.3 (--enable-tls13). Discovered by Robert Hoerr. | 0 days | 4.1.0 |
| LINK | CVE-2018-16870 | Medium | Versions of wolfSSL prior to 3.15.7 are vulnerable to a new variant of the Bleichenbacher attack to perform downgrade attacks against TLS, which may lead to leakage of sensible data. | 0 days | 3.15.7 |
| LINK | CVE-2018-12436 | Medium | Versions of wolfSSL up to and including 3.15.0 are vulnerable to a Key Extraction Side Channel Attack. A patch (wolfssl-3.15.1.patch) is available for download now on our website and a full release will be available next week containing the patch. | 0 days | 3.15.3 |
| LINK | CVE-2017-13099 | Medium | Versions of wolfSSL up to 3.12.2 have a weak Bleichenbacher vulnerability with suites that use an RSA-encrypted premaster secret. Discovered by Hanno Böck, Juraj Somorovsky, Craig Young. | 9 days | 3.13.0 |
| LINK | CVE-2017-2800 | Critical | Versions of wolfSSL before 3.11.0 have a possible out-of-bounds write by one from a crafted certificate being passed to the function wolfSSL_X509_NAME_get_text_by_NID. Discovered by Aleksandar Nikolic of Cisco Talos. | Fixed 20 days prior to CVE issuance | 3.11.0 |
| LINK | CVE-2017-8855 | High | In versions of wolfSSL before 3.11.0 there are cases where a malformed DH key is not rejected by the function wc_DhAgree. Thanks to Yueh-Hsun Lin and Peng Li at KNOX Security at Samsung Research America. | Fixed 5 days prior to CVE issuance | 3.11.0 |
| LINK | CVE-2017-8854 | High | Versions of wolfSSL before 3.10.2 have a possible out-of-bounds memory access when loading crafted DH parameters. Thanks to Yueh-Hsun Lin and Peng Li at KNOX Security at Samsung Research America. | Fixed 88 days prior to CVE issuance | 3.10.2 |
| LINK | CVE-2017-6076 | Medium | In versions of wolfSSL before 3.10.2 the software implementation makes it easier to extract RSA key information for a malicious user who has access to view the cache on a machine. | Fixed 13 days prior to CVE issuance | 3.10.2 |
| LINK | CVE-2016-7440 | Medium | Software AES table lookups do not properly consider cache-bank access times | Fixed 81 days prior to CVE issuance | 3.9.10 |
| LINK | CVE-2016-7439 | Medium | Software RSA does not properly consider cache-bank monitoring | Fixed 81 days prior to CVE issuance | 3.9.10 |
| LINK | CVE-2016-7438 | Medium | Software ECC does not properly consider cache-bank monitoring | Fixed 81 days prior to CVE issuance | 3.9.10 |
| LINK | CVE-2015-6925 | High | Potential DOS attack when using DTLS on the server side | Fixed 127 days prior to CVE issuance | 3.6.8 |
| LINK | CVE-2015-7744 | Medium | TLS servers using RSA with ephemeral keys may leak key bits on signature faults | Fixed 127 days prior to CVE issuance | 3.6.8 |
| LINK | CVE-2014-2903 | Medium | Server certificate not authorized for use in SSL/TLS handshake. CyaSSL does not check the key usage extension in leaf certificates. | Fixed 13 days prior to issuance | 2.9.4 |
| LINK | CVE-2014-2900 | Medium | Unknown critical certificate extension allowed | Fixed 13 days prior to issuance | 2.9.4 |
| LINK | CVE-2014-2899 | Medium | NULL pointer dereference on peer cert request after certificate parsing failure | Fixed 13 days prior to issuance | 2.9.4 |
| LINK | CVE-2014-2898 | Low | Out of bounds read on repeated calls to CyaSSL_read(), memory access error. | Fixed 13 days prior to issuance | 2.9.4 |
| LINK | CVE-2014-2897 | High | Out of bounds read, SSL 3.0 HMAC doesn't check padding length for verify failure | Fixed 13 days prior to issuance | 2.9.4 |
| LINK | CVE-2014-2896 | N/A | Memory corruption, possible out of bounds read on length check in DoAlert() | Fixed 13 days prior to issuance | 2.9.4 |
Known Attacks
As researchers and security professionals release new attacks against SSL/TLS protocol versions, algorithms, or cryptographic modes, we want to keep our users informed if wolfSSL is vulnerable or safe to such attacks.
| DATE | NAME | SEVERITY | WOLFSSL AFFECTED | ADDRESSED |
|---|---|---|---|---|
| 09.09.2020 | Raccoon Attack | Low | NO | N/A |
| 12.08.2017 | The ROBOT Attack | Medium | YES | YES |
| 08.24.2016 | SWEET32 Attack | TLS & SSH - High OpenVPN - Medium |
YES | YES |
| 03.01.2016 | DROWN Attack | Medium | NO | N/A |
| 01.07.2016 | SLOTH Attack | Medium | NO | N/A |
| 08.11.2015 | Pandora's Box Attack | N/A | NO | N/A |
| 07.09.2015 | Logjam Attack | Critical | NO | N/A |
| 03.30.2015 | Bar Mitzvah Attack | Medium | YES | YES |
| 03.04.2015 | FREAK Attack | Medium for all implementations | YES | N/A |
| 12.12.2014 | POODLE Bites Again | Medium | NO | N/A |
| 10.14.2014 | POODLE: Padding Oracle On Downgraded Legacy Encryption | Medium | YES | YES |
| 04.09.2014 | Heartbleed Bug | Medium | NO | N/A |
| 02.05.2014 | Lucky 13 Attack | Low | YES | YES |
| 09.24.2012 | CRIME Attack | Low | YES | YES |
| 05.13.2011 | BEAST Attack | Medium | YES | YES |
Contact Us
Email: facts@wolfssl.com
Phone: +1 (425) 245-8247