wolfSSL CRL Parser Heap-Based and Stack-Based Buffer Overflow Vulnerabilities

Two buffer overflow vulnerabilities have been identified in the wolfSSL CRL parser, specifically when handling CRL numbers. A heap-based buffer overflow can occur if the CRL number is incorrectly stored as a hexadecimal string, while a stack-based overflow can be triggered by CRL numbers of sufficient size. Both vulnerabilities involve out-of-bounds writes and can be exploited with carefully crafted CRLs. This issue affects wolfSSL builds that enable CRL support, particularly when a CRL from an untrusted source is loaded.

Impact

Exploitation of these vulnerabilities leads to heap-based and stack-based buffer overflows, allowing for arbitrary memory writes that could be exploited to execute arbitrary code or cause a crash.

Reproduction

To reproduce this vulnerability, load a CRL from an untrusted source into a wolfSSL build that has CRL support enabled. Ensure that the CRL contains a CRL number formatted as a hexadecimal string and is of a size that can trigger the stack-based overflow. The CRL parser will then improperly handle the CRL number, causing a buffer overflow.

Remediation

Users should update to the latest version of wolfSSL, where this vulnerability has been addressed.