cbcvebase.
CVE-2017-2800
published 2017-05-24

CVE-2017-2800: A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3.10.2 resulting in potential certificate validation…

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
8.53%
94.4th percentile
A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3.10.2 resulting in potential certificate validation vulnerabilities, denial of service and possible remote code execution. In order to trigger this vulnerability, the attacker needs to supply a malicious x509 certificate to either a server or a client application using this library.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianwolfssl< wolfssl 3.12.0+dfsg-1 (bookworm)wolfssl 3.12.0+dfsg-1 (bookworm)
wolfsslwolfssl<= 3.10.2
wolfsslwolfssl
wolfsslwolfssl>= 0 < 3.12.0+dfsg-13.12.0+dfsg-1
wolfsslwolfssl>= 0 < 3.12.0+dfsg-13.12.0+dfsg-1
wolfsslwolfssl>= 0 < 3.12.0+dfsg-13.12.0+dfsg-1
wolfsslwolfssl>= 0 < 3.12.0+dfsg-13.12.0+dfsg-1

Detection & IOCsextracted from sources · hover to see the quote

versionwolfSSL <= 3.10.2
  • Monitor for off-by-one NULL byte write at the boundary of stack-allocated certificate field buffers (commonName, countryName, localityName, stateName, orgName, orgUnit) during x509 DER certificate parsing in wolfSSL — triggered by a certificate field length equal to or exceeding the destination buffer size.
  • Flag x509 certificates presented to wolfSSL-linked applications where the localityName (L=) field is padded with an abnormally long string (e.g., 80+ 'A' characters) — this matches the PoC trigger pattern.
  • The vulnerable code path is wolfSSL_X509_NAME_get_text_by_NID in ssl.c; look for AddressSanitizer stack-buffer-overflow reports at this function when processing untrusted certificates in both server and client roles.
  • The vulnerability is exploitable over the network (AV:N) with no authentication required; inspect TLS handshake traffic where a peer supplies a crafted certificate with oversized subject DN fields to any wolfSSL-based application.
  • ·Both TLS server and client roles are affected; client-side exploitation requires the attacker to control or impersonate a server that presents the malicious certificate during the handshake.
  • ·The write primitive is a single NULL byte overwrite; exploitability for RCE depends on memory layout (stack vs. heap allocation of the certificate field buffer) and the specific application's use of the library.
  • ·Fix is available in wolfSSL 3.12.0; Debian packages resolved in 3.12.0+dfsg-1 across all tracked suites.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_cisco7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.