wolfSSL wolfTPM Buffer Overrun Vulnerability in RSA Key Export from TPM

A buffer overrun vulnerability has been identified in the wolfSSL wolfTPM library when exporting RSA keys larger than 2048 bits from a TPM 2.0 module. This issue arises if the default maximum RSA key size is used and the TPM hardware supports larger key sizes. When an application exports such a key using the 'wolfTPM2_RsaKey_TpmToWolf' function, the buffer overrun can occur. However, if the 'MAX_RSA_KEY_BITS' macro is correctly set to match the TPM hardware capabilities, the stack overrun vulnerability is mitigated.

Impact

Exploitation of this vulnerability can lead to a stack buffer overrun, which may cause memory corruption or allow for arbitrary code execution.

Reproduction

To reproduce this vulnerability, export an RSA key larger than 2048 bits from a TPM 2.0 module using the 'wolfTPM2_RsaKey_TpmToWolf' function. Ensure that the 'MAX_RSA_KEY_BITS' macro is set to 2048, and that the TPM hardware supports larger key sizes. This will trigger the buffer overrun condition.

Remediation

Users should ensure that the 'MAX_RSA_KEY_BITS' macro is set correctly to match the RSA key size capabilities of their TPM hardware. This adjustment can prevent the buffer overrun vulnerability during RSA key export.