Denial of Service Vulnerability in wolfSSL TLS 1.3 Implementation
CVE-2020-12457

7.5HIGH

Key Information:

Vendor: Wolfssl
Status: Wolfssl
Vendor: CVE Published:; 21 August 2020

Summary

A vulnerability has been found in wolfSSL, specifically affecting its handling of the ChangeCipherSpec (CCS) message processing logic in TLS 1.3. An attacker can exploit this flaw by sending multiple sequential ChangeCipherSpec messages crafted in a specific way, leading the server to enter an infinite loop in the ProcessReply() function. This results in a denial of service, hindering server operations and impacting availability.

References

https://github.com/wolfSSL/wolfssl/pull/2927

x_refsource_MISC

https://github.com/wolfSSL/wolfssl/releases/tag/v4.5.0-st...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 21, 2020
Vulnerability Reserved
Apr 29, 2020