wolfCrypt CMAC Implementation Integer Overflow Vulnerability Allowing Tag Forgery

An integer overflow vulnerability has been identified in the wolfCrypt CMAC implementation, which could be exploited to forge CMAC tags. The issue arises in the wc_CmacUpdate function, where a guard checks if the total size is not zero to skip XOR-chaining on the first block. However, this total size, being a 32-bit word, wraps to zero after approximately 4 GiB, leading the guard to incorrectly discard the active CBC-MAC chain state. Consequently, two messages sharing a common suffix beyond the 4 GiB limit can produce identical CMAC tags, facilitating a zero-work prefix-substitution forgery. The vulnerability has been addressed by removing the guard, allowing the XOR operation to be unconditional while preserving the no-op characteristic of the first block by initializing the digest to zero.

Impact

Exploitation of this vulnerability allows for the forgery of CMAC tags, which could be used to manipulate message authentication in a way that is undetectable.

Remediation

Users should update to the latest version of wolfSSL, where this vulnerability has been fixed.