Heap overflow in wolfssl CVE-2019–18840

Firo Solutions
Nov 15 · 1 min read

A heap overflow vulnerability has been found in wolfssl

Wolfssl is an TLS library mostly used in embedded Linux devices.
It is also used in the popular tool curl.
The small code base makes it very popular to use in various
IoT projects code base.

The vulnerability has been given the CVE of CVE-2019–18840.

Explanation of the vulnerability

Due to an incorrect parsing of ASN.1 certificates while
performing a handshake the GetName function in wolfcrypt/src/asn.c
allows the program to overwrite a memory address and cause
a heap overflow.

A malicious certificate will crash the program and if
more advancedly exploited the effect will lead to a
remote code execution.

wolfcrypt/src/asn.c:4505:

void FreeDecodedCert(DecodedCert* cert)
{
...
if (cert->subjectName.fullName != NULL)
XFREE(cert->subjectName.fullName, cert->heap, DYNAMIC_TYPE_X509);

wolfssl/wolfcrypt/asn.h:

#define DOMAIN_COMPONENT_MAX 10
#define DN_NAMES_MAX 9
struct DecodedName {
char* fullName;
...
int loc[DOMAIN_COMPONENT_MAX + DN_NAMES_MAX];
int locSz;
};
struct DecodedCert {
...
DecodedName issuerName;
DecodedName subjectName;

Source:
https://github.com/wolfSSL/wolfssl/issues/2555

External links:

https://blog.firosolutions.com/exploits/heap-overflow-wolfssl/
WolfSSL wikipedia
heap overflow
https://github.com/wolfSSL/wolfssl/issues/2555
wolfssl.com

We at Firo believes strongly in that you should locate
the vulnerabilities within your network and patch them.
With Firo Solutions you can receive notifications about
new vulnerabilities that affects your system.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade