Denial of Service Vulnerability in wolfSSL TLS 1.3 Implementation
CVE-2020-12457

7.5HIGH

Key Information:

Vendor: Wolfssl
Status: Wolfssl
Vendor: CVE Published:; 21 August 2020

What is CVE-2020-12457?

A vulnerability has been found in wolfSSL, specifically affecting its handling of the ChangeCipherSpec (CCS) message processing logic in TLS 1.3. An attacker can exploit this flaw by sending multiple sequential ChangeCipherSpec messages crafted in a specific way, leading the server to enter an infinite loop in the ProcessReply() function. This results in a denial of service, hindering server operations and impacting availability.

References

https://github.com/wolfSSL/wolfssl/pull/2927

x_refsource_MISC

https://github.com/wolfSSL/wolfssl/releases/tag/v4.5.0-st...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 21, 2020
Vulnerability Reserved
Apr 29, 2020

Wolfssl

What is CVE-2020-12457?

References

CVSS V3.1

Timeline