Improper IV Initialization in wolfSSL TLS Implementations
CVE-2022-23408

9.1CRITICAL

Key Information:

Vendor: Wolfssl
Status: Wolfssl
Vendor: CVE Published:; 18 January 2022

Summary

The wolfSSL library, in versions before 5.1.1, is susceptible to a vulnerability due to improper initialization of Initialization Vectors (IV) in certain scenarios. This issue impacts TLS and DTLS connections utilizing AES-CBC or DES3 without AEAD, potentially exposing sensitive data to unauthorized access. The flaw arises from a misplaced memory initialization within the BuildMessage function located in internal.c, making it critical for users to update to the patched version to ensure robust security.

References

https://github.com/wolfSSL/wolfssl/pull/4710

x_refsource_MISC

https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog....

x_refsource_MISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 18, 2022
Vulnerability Reserved
Jan 18, 2022