Security Advisory 2021-02-02-2 - wolfSSL heap buffer overflow in RsaPad_PSS (CVE-2020-36177)
Petr Štetiar
ynezz at true.cz
Wed Feb 3 09:34:03 EST 2021
DESCRIPTION
RsaPad_PSS in wolfcrypt/src/rsa.c in wolfSSL before 4.6.0 has an out-of-bounds
write for certain relationships between key size and digest size. The issue is
marked as critical with CVSS score of 9.8 (10 is most severe)[0].
wolfSSL library is provided as `libwolfssl24` package in OpenWrt and shipped
by default in snapshots since August 27th 2020[1]. It's NOT shipped by default
in latest stable OpenWrt release 19.07.
REQUIREMENTS
It's still work in progress, there is not that much information about it
available yet, but according to the very high CVSS score of 9.8 (10 is most
severe) it's likely, that this issue has RCE potential.
You can check for updates on dedicated wiki page[2] and forum topic[3] if
interested.
MITIGATIONS
You need to update the affected `libwolfssl24` package you're using with the
command below.
opkg update; opkg upgrade libwolfssl24
Then verify, that you're running fixed version.
opkg list-installed libwolfssl24
The above command should output following:
libwolfssl24 - 4.6.0-stable-1 - for stable OpenWrt 19.07 release
libwolfssl24 - 4.6.0-stable-1 - for master/snapshot
The fix is contained in the following and later versions:
* OpenWrt master: 2021-01-01 reboot-15389-gba40da9045f7
* OpenWrt 19.07: 2021-02-02 v19.07.6-11-g2044c01de8f2
AFFECTED VERSIONS
To our knowledge, OpenWrt snapshot images are affected. OpenWrt stable release
versions 19.07.0 to 19.07.6 are not affected, because vulnerable `libwolfssl24`
package is not shipped by default in the official firmware images. Older
versions of OpenWrt (e.g. OpenWrt 18.06, OpenWrt 15.05 and LEDE 17.01) are end
of life and not supported any more.
CREDITS
This issue seems to be found by libFuzzer's address sanitizer in OSS-Fuzz[4] project
and fixed by Sean Parkinson[5] from wolfSSL team.
REFERENCES
0. https://nvd.nist.gov/vuln/detail/CVE-2020-36177
1. https://git.openwrt.org/e79df3516d3e2931a2a2964cadfed0af99acef49
2. https://openwrt.org/advisory/2021-02-02-2
3. https://forum.openwrt.org/t/security-advisory-2021-02-02-2-wolfssl-heap-buffer-overflow-in-rsapad-pss-cve-2020-36177
4. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26567
5. https://github.com/wolfSSL/wolfssl/commit/fb2288c46dd4c864b78f00a47a364b96a09a5c0f
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20210203/a7dc6fbb/attachment.sig>
More information about the openwrt-devel
mailing list