A heap overflow vulnerability has been found in wolfssl

Wolfssl is an TLS library mostly used in embedded Linux devices.

It is also used in the popular tool curl.

The small code base makes it very popular to use in various

IoT projects code base.

The vulnerability has been given the CVE of CVE-2019-18840.

Explanation of the vulnerability

Due to an incorrect parsing of ASN.1 certificates while

performing a handshake the GetName function in wolfcrypt/src/asn.c

allows the program to overwrite a memory address and cause

a heap overflow.

A malicious certificate will crash the program and if

more advancedly exploited the effect will lead to a

remote code execution.

wolfcrypt/src/asn.c:4505:

void FreeDecodedCert(DecodedCert* cert) { ... if (cert->subjectName.fullName != NULL) XFREE(cert->subjectName.fullName, cert->heap, DYNAMIC_TYPE_X509);

wolfssl/wolfcrypt/asn.h:

#define DOMAIN_COMPONENT_MAX 10 #define DN_NAMES_MAX 9 struct DecodedName { char* fullName; ... int loc[DOMAIN_COMPONENT_MAX + DN_NAMES_MAX]; int locSz; }; struct DecodedCert { ... DecodedName issuerName; DecodedName subjectName;

Source:

https://github.com/wolfSSL/wolfssl/issues/2555

External links:

WolfSSL wikipedia

heap overflow

https://github.com/wolfSSL/wolfssl/issues/2555

wolfssl.com

We at Firo believes strongly in that you should locate

the vulnerabilities within your network and patch them.

With Firo Solutions you can receive notifications about

new vulnerabilities that affects your system.

Stay up to date with Vulnerability Management and build cool things with our API

This blog post is part of the exploit of the day series

where we write a shorter description about interesting

exploits that we index.