ASA-2019-00526 – wolfSSL wolfCrypt: Out-of-bounds read in GetLength_ex()

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00526

Identifier(s)

ASA-2019-00526, CVE-2019-15651

Title

Out-of-bounds read in GetLength_ex()

Vendor(s)

wolfSSL Inc

Product(s)

wolfSSL wolfCrypt

Affected version(s)

wolfSSL version 4.1.0

Fixed version(s)

wolfSSL versions with the following commit(s) applied

https://github.com/wolfSSL/wolfssl/pull/2425/commits/c6e4aebcdff4e774c94953ffe9de7ce287c54f4f

Proof of concept

Yes

Description

wolfSSL 4.1.0 has a one-byte heap-based buffer over-read in DecodeCertExtensions() and DecodeOcspRespExtensions() in wolfcrypt/src/asn.c because reading the ASN_BOOLEAN byte is mishandled for a crafted DER certificate in GetLength_ex().

Technical details

Unknown

Credits

flyroom

Reference(s)

one-byte-heap-overread (wolfcrypt/src/asn.c:7584) #2421
https://github.com/wolfSSL/wolfssl/issues/2421

sanity check on buffer size #2425
https://github.com/wolfSSL/wolfssl/pull/2425/commits/c6e4aebcdff4e774c94953ffe9de7ce287c54f4f

test_crt.zip
https://github.com/wolfSSL/wolfssl/files/3524404/test_crt.zip

CVE-2019-15651
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15651

CVE-2019-15651
https://nvd.nist.gov/vuln/detail/CVE-2019-15651

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: September 4, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.