wolfSSL TLS 1.3 CertificateVerify Signature Algorithm Downgrade Vulnerability

A vulnerability exists in wolfSSL versions through 5.8.2 that improperly validates input during the negotiation of signature algorithms in the TLS 1.3 CertificateVerify message. This flaw allows for a downgrade of the signature algorithm used, potentially compromising the integrity of the connection. The issue arises when a client specifies ECDSA P521 as its preferred signature algorithm, and the server, instead of honoring this preference, responds with ECDSA P256. If the client also supports ECDSA P256, the connection will proceed using the downgraded algorithm.

Impact

Exploitation of this vulnerability leads to a downgrade of the signature algorithm from ECDSA P521 to ECDSA P256 during the TLS 1.3 handshake, which could weaken the cryptographic security of the connection.

Reproduction

To reproduce this vulnerability, initiate a TLS 1.3 handshake from a client that supports ECDSA P521 and includes it in the SignatureAlgorithm extension. The server should be running wolfSSL version 5.8.2 or earlier. Observe that the server responds with ECDSA P256 as the accepted signature algorithm, despite the client's preference for P521. This can be tested using a tool that allows manipulation of the ClientHello message, such as a custom TLS client or a TLS library that exposes this functionality.

Remediation

Users can upgrade to wolfSSL version 5.8.4 or later, where this vulnerability has been fixed.