wolfSSL Subject Alternative Name Integer Underflow Vulnerability in X.509 Certificate Parsing

A vulnerability exists in wolfSSL's X.509 certificate handling, specifically when parsing the Subject Alternative Name (SAN) extension. The issue arises from an integer underflow, where a malformed certificate can specify a length for an entry that exceeds the total length of the enclosing sequence. This discrepancy causes the internal length counter to wrap, leading to improper management of the certificate data. This vulnerability is present only in configurations that utilize the original ASN.1 parsing implementation, which is disabled by default.

Impact

Exploitation of this vulnerability could lead to incorrect processing of X.509 certificate data, potentially allowing for malformed certificates to be accepted or misinterpreted during cryptographic operations.

Remediation

Users can update to the latest version of wolfSSL, where this vulnerability has been addressed. Instructions for updating can be found in the wolfSSL documentation.