Headline
wolfSSL Session Resumption Denial Of Service
wolfSSL versions prior to 5.5.0 suffer from a denial of service condition related to session resumption. When a TLS 1.3 client connects to a wolfSSL server and SSL_clear is called on its session, the server crashes with a segmentation fault. The bug occurs after a client performs a handshake against a wolfSSL server and then closes the connection. If the server reuses the previous session structure (struct WOLFSSL) by calling wolfSSL_clear(WOLFSSL* ssl) on it, the next received Client Hello, which resumes the previous session, crashes the server. Note, that this bug only exists in resumed handshakes using TLS session resumption. This bug was discovered using the novel symbolic-model-guided fuzzer tlspuffin.
# wolfSSL before 5.5.0: Denial-of-service with session resumption=================================================================## INFO=======The CVE project has assigned the id CVE-2022-38152 to this issue.Severity: 7.5 HIGHAffected version: before 5.5.0End of embargo: Ended August 30, 2022## SUMMARY==========When a TLS 1.3 client connects to a wolfSSL server and SSL_clear is called onits session, the server crashes with a segmentation fault. The bug occurs aftera client performs a handshake against a wolfSSL server and then closes theconnection. If the server reuses the previous session structure (struct WOLFSSL)by calling wolfSSL_clear(WOLFSSL* ssl) on it, the next received Client Hello,which resumes the previous session, crashes the server. Note, that this bug onlyexists in resumed handshakes using TLS session resumption. This bug wasdiscovered using the novel symbolic-model-guided fuzzer tlspuffin.## DETAILS==========Line numbers below are valid for the wolfSSL Git tag v5.4.0-stable. Thevulnerability is exploitable with default compilation flags. If the --enable-postauth flag is used, then this bug is no longer exploitable. Whencreating a new TLS session (represented by a struct WOLFSSL), a struct calledarrays is allocated in internal.c:6652.```int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup){ ... ssl->arrays = (Arrays*)XMALLOC(sizeof(Arrays), ssl->heap,DYNAMIC_TYPE_ARRAYS); ...}```Note that this function is only called when creating a new session structureusing wolfSSL_new. After a handshake is done, resources related to it are freedby default using the FreeHandshakeResources function in line ssl.c:3735. Thisfrees the memory behind ssl->arrays and sets the pointer to NULL.```void FreeHandshakeResources(WOLFSSL* ssl){ ... if (!ssl->options.tls1_3) FreeArrays(ssl) ...}void FreeArrays(WOLFSSL* ssl){... ssl->arrays = NULL;}```If the compile flag --enable-postauth is not set, the variable options.tls1_3 isfalse, and therefore the arrays are freed. If --enable-postauth is set, then thearrays are not freed. The above code is executed during the handshake of a freshsession. Users of wolfSSL might not allocate a new session by usingwolfSSL_new(), but reuse a previous struct WOLFSSL. This can be done by callingwolfSSL_clear(WOLFSSL* ssl) on the previous session and reusing the struct. Thenext abbreviated handshake, which resumes the previous connection, will nowcause a segmentation fault in tls13.c:5296. The segmentation fault occursbecause the arrays pointer still points to NULL as InitSSL is not called beforethe Client Hello is handled.## AFFECTED VERSIONS====================wolfSSL 5.3.0 and 5.4.0 are affected The server needs to handle sessions in anon-default way by using wolfSSL_clear## SUGGESTED REMEDIATION========================After a session has been cleared and is reused for the next client, it should bereinitialized.
Related news
wolfSSL through 5.0.0 allows an attacker to cause a denial of service and infinite loop in the client component by sending crafted traffic from a Machine-in-the-Middle (MITM) position. The root cause is that the client module accepts TLS messages that normally are only sent to TLS servers.
An issue was discovered in wolfSSL before 5.5.0. When a TLS 1.3 client connects to a wolfSSL server and SSL_clear is called on its session, the server crashes with a segmentation fault. This occurs in the second session, which is created through TLS session resumption and reuses the initial struct WOLFSSL. If the server reuses the previous session structure (struct WOLFSSL) by calling wolfSSL_clear(WOLFSSL* ssl) on it, the next received Client Hello (that resumes the previous session) crashes the server. Note that this bug is only triggered when resuming sessions using TLS session resumption. Only servers that use wolfSSL_clear instead of the recommended SSL_free; SSL_new sequence are affected. Furthermore, wolfSSL_clear is part of wolfSSL's compatibility layer and is not enabled by default. It is not part of wolfSSL's native API.