Vulnerability-Lookup

CNVD-2022-15491

Vulnerability from cnvd - Published: 2022-03-01

Title

wolfSSL安全特征问题漏洞

Description

Wolfssl（CyaSSL）是美国Wolfssl公司的一个针对嵌入式系统开发人员使用的小的、可移植的嵌入式SSL编程库。 wolfSSL存在安全漏洞，该漏洞源于在某些情况下，5.1.1之前的x使用非随机IV值。这将影响使用TLS 1.1或1.2或TLS 1.1或1.2的AES-CBC或DES3连接(没有AEAD)。发生这种情况是因为在internal.c中的BuildMessage中错误的内存初始化。目前没有详细的漏洞细节提供。

Severity

中

Patch Name

wolfSSL安全特征问题漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-511-jan-3rd-2022

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-23408

Impacted products

Name
wolfSSL wolfSSL 5.*，<5.1.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-23408"
    }
  },
  "description": "Wolfssl\uff08CyaSSL\uff09\u662f\u7f8e\u56fdWolfssl\u516c\u53f8\u7684\u4e00\u4e2a\u9488\u5bf9\u5d4c\u5165\u5f0f\u7cfb\u7edf\u5f00\u53d1\u4eba\u5458\u4f7f\u7528\u7684\u5c0f\u7684\u3001\u53ef\u79fb\u690d\u7684\u5d4c\u5165\u5f0fSSL\u7f16\u7a0b\u5e93\u3002\n\nwolfSSL\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\uff0c5.1.1\u4e4b\u524d\u7684x\u4f7f\u7528\u975e\u968f\u673aIV\u503c\u3002\u8fd9\u5c06\u5f71\u54cd\u4f7f\u7528TLS 1.1\u62161.2\u6216TLS 1.1\u62161.2\u7684AES-CBC\u6216DES3\u8fde\u63a5(\u6ca1\u6709AEAD)\u3002\u53d1\u751f\u8fd9\u79cd\u60c5\u51b5\u662f\u56e0\u4e3a\u5728internal.c\u4e2d\u7684BuildMessage\u4e2d\u9519\u8bef\u7684\u5185\u5b58\u521d\u59cb\u5316\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-511-jan-3rd-2022",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-15491",
  "openTime": "2022-03-01",
  "patchDescription": "Wolfssl\uff08CyaSSL\uff09\u662f\u7f8e\u56fdWolfssl\u516c\u53f8\u7684\u4e00\u4e2a\u9488\u5bf9\u5d4c\u5165\u5f0f\u7cfb\u7edf\u5f00\u53d1\u4eba\u5458\u4f7f\u7528\u7684\u5c0f\u7684\u3001\u53ef\u79fb\u690d\u7684\u5d4c\u5165\u5f0fSSL\u7f16\u7a0b\u5e93\u3002\r\n\r\nwolfSSL\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\uff0c5.1.1\u4e4b\u524d\u7684x\u4f7f\u7528\u975e\u968f\u673aIV\u503c\u3002\u8fd9\u5c06\u5f71\u54cd\u4f7f\u7528TLS 1.1\u62161.2\u6216TLS 1.1\u62161.2\u7684AES-CBC\u6216DES3\u8fde\u63a5(\u6ca1\u6709AEAD)\u3002\u53d1\u751f\u8fd9\u79cd\u60c5\u51b5\u662f\u56e0\u4e3a\u5728internal.c\u4e2d\u7684BuildMessage\u4e2d\u9519\u8bef\u7684\u5185\u5b58\u521d\u59cb\u5316\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "wolfSSL\u5b89\u5168\u7279\u5f81\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "wolfSSL wolfSSL 5.*\uff0c\u003c5.1.1"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-23408",
  "serverity": "\u4e2d",
  "submitTime": "2022-01-19",
  "title": "wolfSSL\u5b89\u5168\u7279\u5f81\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2022-23408 (GCVE-0-2022-23408)

Vulnerability from cvelistv5 – Published: 2022-01-18 20:20 – Updated: 2024-08-03 03:43

Summary

wolfSSL 5.x before 5.1.1 uses non-random IV values in certain situations. This affects connections (without AEAD) using AES-CBC or DES3 with TLS 1.1 or 1.2 or DTLS 1.1 or 1.2. This occurs because of misplaced memory initialization in BuildMessage in internal.c.

Severity

No CVSS data available.

CWE

Assigner

mitre

References

2 references

URL	Tags
https://github.com/wolfSSL/wolfssl/pull/4710	x_refsource_MISC
https://github.com/wolfSSL/wolfssl/blob/master/Ch…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:43:45.850Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/wolfSSL/wolfssl/pull/4710"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-511-jan-3rd-2022"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "wolfSSL 5.x before 5.1.1 uses non-random IV values in certain situations. This affects connections (without AEAD) using AES-CBC or DES3 with TLS 1.1 or 1.2 or DTLS 1.1 or 1.2. This occurs because of misplaced memory initialization in BuildMessage in internal.c."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-01-18T20:20:15.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/wolfSSL/wolfssl/pull/4710"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-511-jan-3rd-2022"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2022-23408",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "wolfSSL 5.x before 5.1.1 uses non-random IV values in certain situations. This affects connections (without AEAD) using AES-CBC or DES3 with TLS 1.1 or 1.2 or DTLS 1.1 or 1.2. This occurs because of misplaced memory initialization in BuildMessage in internal.c."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/wolfSSL/wolfssl/pull/4710",
              "refsource": "MISC",
              "url": "https://github.com/wolfSSL/wolfssl/pull/4710"
            },
            {
              "name": "https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-511-jan-3rd-2022",
              "refsource": "MISC",
              "url": "https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-511-jan-3rd-2022"
            }
          ]
        },
        "source": {
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-23408",
    "datePublished": "2022-01-18T20:20:15.000Z",
    "dateReserved": "2022-01-18T00:00:00.000Z",
    "dateUpdated": "2024-08-03T03:43:45.850Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-15491

CVE-2022-23408 (GCVE-0-2022-23408)

Tags

Sightings

Nomenclature