cnvd - cnvd-2021-19698

cnvd-2021-19698

Vulnerability from cnvd

Title: Wolfssl信任管理问题漏洞

Description:

Wolfssl（CyaSSL）是美国Wolfssl公司的一个针对嵌入式系统开发人员使用的小的、可移植的嵌入式SSL编程库。

WolfSSL 版本4.6.0 tls13.c文件中的 DoTls13CertificateVerify 函数存在信任管理问题漏洞，该漏洞源于不会停止对某些异常对等体行为的处理。目前没有详细的漏洞细节提供。

Severity: 中

Formal description:

目前厂商暂未发布修复措施解决此安全问题，建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法： https://github.com/wolfSSL/wolfssl/pull/3676

Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-3336

Impacted products

Name
wolfSSL wolfSSL 4.6.0 tls13.c

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-3336",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-3336"
    }
  },
  "description": "Wolfssl\uff08CyaSSL\uff09\u662f\u7f8e\u56fdWolfssl\u516c\u53f8\u7684\u4e00\u4e2a\u9488\u5bf9\u5d4c\u5165\u5f0f\u7cfb\u7edf\u5f00\u53d1\u4eba\u5458\u4f7f\u7528\u7684\u5c0f\u7684\u3001\u53ef\u79fb\u690d\u7684\u5d4c\u5165\u5f0fSSL\u7f16\u7a0b\u5e93\u3002\n\nWolfSSL \u7248\u672c4.6.0 tls13.c\u6587\u4ef6\u4e2d\u7684 DoTls13CertificateVerify \u51fd\u6570\u5b58\u5728\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4e0d\u4f1a\u505c\u6b62\u5bf9\u67d0\u4e9b\u5f02\u5e38\u5bf9\u7b49\u4f53\u884c\u4e3a\u7684\u5904\u7406\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u6682\u672a\u53d1\u5e03\u4fee\u590d\u63aa\u65bd\u89e3\u51b3\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u6216\u53c2\u8003\u7f51\u5740\u4ee5\u83b7\u53d6\u89e3\u51b3\u529e\u6cd5\uff1a\r\nhttps://github.com/wolfSSL/wolfssl/pull/3676",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-19698",
  "openTime": "2021-03-21",
  "products": {
    "product": "wolfSSL wolfSSL 4.6.0 tls13.c"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-3336",
  "serverity": "\u4e2d",
  "submitTime": "2021-02-03",
  "title": "Wolfssl\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2021-3336 (GCVE-0-2021-3336)

Vulnerability from cvelistv5

Published

2021-01-29 04:58

Modified

2024-08-03 16:53

Severity ?

CWE

Summary

DoTls13CertificateVerify in tls13.c in wolfSSL before 4.7.0 does not cease processing for certain anomalous peer behavior (sending an ED22519, ED448, ECC, or RSA signature without the corresponding certificate). The client side is affected because man-in-the-middle attackers can impersonate TLS 1.3 servers.

References

▼	URL	Tags
	https://github.com/wolfSSL/wolfssl/pull/3676	x_refsource_MISC
	https://www.wolfssl.com/docs/security-vulnerabilities	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T16:53:17.588Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/wolfSSL/wolfssl/pull/3676"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.wolfssl.com/docs/security-vulnerabilities"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "DoTls13CertificateVerify in tls13.c in wolfSSL before 4.7.0 does not cease processing for certain anomalous peer behavior (sending an ED22519, ED448, ECC, or RSA signature without the corresponding certificate). The client side is affected because man-in-the-middle attackers can impersonate TLS 1.3 servers."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-02-22T23:02:07",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/wolfSSL/wolfssl/pull/3676"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.wolfssl.com/docs/security-vulnerabilities"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-3336",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "DoTls13CertificateVerify in tls13.c in wolfSSL before 4.7.0 does not cease processing for certain anomalous peer behavior (sending an ED22519, ED448, ECC, or RSA signature without the corresponding certificate). The client side is affected because man-in-the-middle attackers can impersonate TLS 1.3 servers."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/wolfSSL/wolfssl/pull/3676",
              "refsource": "MISC",
              "url": "https://github.com/wolfSSL/wolfssl/pull/3676"
            },
            {
              "name": "https://www.wolfssl.com/docs/security-vulnerabilities",
              "refsource": "CONFIRM",
              "url": "https://www.wolfssl.com/docs/security-vulnerabilities"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-3336",
    "datePublished": "2021-01-29T04:58:39",
    "dateReserved": "2021-01-28T00:00:00",
    "dateUpdated": "2024-08-03T16:53:17.588Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted