CVE-2017-2800
published 2017-05-24CVE-2017-2800: A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3.10.2 resulting in potential certificate validation…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
8.53%
94.4th percentile
A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3.10.2 resulting in potential certificate validation vulnerabilities, denial of service and possible remote code execution. In order to trigger this vulnerability, the attacker needs to supply a malicious x509 certificate to either a server or a client application using this library.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wolfssl | < wolfssl 3.12.0+dfsg-1 (bookworm) | wolfssl 3.12.0+dfsg-1 (bookworm) |
| wolfssl | wolfssl | <= 3.10.2 | — |
| wolfssl | wolfssl | — | — |
| wolfssl | wolfssl | >= 0 < 3.12.0+dfsg-1 | 3.12.0+dfsg-1 |
| wolfssl | wolfssl | >= 0 < 3.12.0+dfsg-1 | 3.12.0+dfsg-1 |
| wolfssl | wolfssl | >= 0 < 3.12.0+dfsg-1 | 3.12.0+dfsg-1 |
| wolfssl | wolfssl | >= 0 < 3.12.0+dfsg-1 | 3.12.0+dfsg-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for off-by-one NULL byte write at the boundary of stack-allocated certificate field buffers (commonName, countryName, localityName, stateName, orgName, orgUnit) during x509 DER certificate parsing in wolfSSL — triggered by a certificate field length equal to or exceeding the destination buffer size. ↗
- →Flag x509 certificates presented to wolfSSL-linked applications where the localityName (L=) field is padded with an abnormally long string (e.g., 80+ 'A' characters) — this matches the PoC trigger pattern. ↗
- →The vulnerable code path is wolfSSL_X509_NAME_get_text_by_NID in ssl.c; look for AddressSanitizer stack-buffer-overflow reports at this function when processing untrusted certificates in both server and client roles. ↗
- →The vulnerability is exploitable over the network (AV:N) with no authentication required; inspect TLS handshake traffic where a peer supplies a crafted certificate with oversized subject DN fields to any wolfSSL-based application. ↗
- ·Both TLS server and client roles are affected; client-side exploitation requires the attacker to control or impersonate a server that presents the malicious certificate during the handshake. ↗
- ·The write primitive is a single NULL byte overwrite; exploitability for RCE depends on memory layout (stack vs. heap allocation of the certificate field buffer) and the specific application's use of the library. ↗
- ·Fix is available in wolfSSL 3.12.0; Debian packages resolved in 3.12.0+dfsg-1 across all tracked suites. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_cisco7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-59h3-rq7p-jqmv: A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3
ghsa_unreviewed·2022-05-13
CVE-2017-2800 [CRITICAL] CWE-295 GHSA-59h3-rq7p-jqmv: A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3
A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3.10.2 resulting in potential certificate validation vulnerabilities, denial of service and possible remote code execution. In order to trigger this vulnerability, the attacker needs to supply a malicious x509 certificate to either a server or a client application using this library.
OSV
CVE-2017-2800: A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3
osv·2017-05-24·CVSS 9.8
CVE-2017-2800 [CRITICAL] CVE-2017-2800: A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3
A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3.10.2 resulting in potential certificate validation vulnerabilities, denial of service and possible remote code execution. In order to trigger this vulnerability, the attacker needs to supply a malicious x509 certificate to either a server or a client application using this library.
Cisco
Cisco Aironet 1800, 2800, and 3800 Series Access Points MAC Authentication Bypass Vulnerability
vendor_cisco·2017-11-01·CVSS 6.1
CVE-2017-12281 [MEDIUM] CWE-287 Cisco Aironet 1800, 2800, and 3800 Series Access Points MAC Authentication Bypass Vulnerability
Cisco Aironet 1800, 2800, and 3800 Series Access Points MAC Authentication Bypass Vulnerability
A vulnerability in the implementation of Protected Extensible Authentication Protocol (PEAP) functionality for standalone configurations of Cisco Aironet 1800, 2800, and 3800 Series Access Points could allow an unauthenticated, adjacent attacker to bypass authentication and connect to an affected device.
The vulnerability exists because the affected device uses an incorrect default configuration setting of fail open when running in standalone mode. An attacker could exploit this vulnerability by attempting to connect to an affected device. A successful exploit could allow the attacker to bypass authentication and connect to the affected device.
There are no workarounds that address this vulne
Cisco
Cisco Aironet 1560, 2800, and 3800 Series Access Point Platforms 802.11 Denial of Service Vulnerability
vendor_cisco·2017-11-01·CVSS 7.4
CVE-2017-12273 [HIGH] CWE-20 Cisco Aironet 1560, 2800, and 3800 Series Access Point Platforms 802.11 Denial of Service Vulnerability
Cisco Aironet 1560, 2800, and 3800 Series Access Point Platforms 802.11 Denial of Service Vulnerability
A vulnerability in 802.11 association request frame processing for the Cisco Aironet 1560, 2800, and 3800 Series Access Points could allow an unauthenticated, Layer 2 radio frequency (RF) adjacent attacker to cause the Access Point (AP) to reload, resulting in a denial of service (DoS) condition.
The vulnerability is due to insufficient frame validation of the 802.11 association request. An attacker could exploit this vulnerability by sending a malformed 802.11 association request to the targeted device. An exploit could allow the attacker to cause the AP to reload, resulting in a DoS condition while the AP is reloading.
Cisco has released software updates that address this vulnerabil
Cisco
Cisco Aironet 1560, 2800, and 3800 Series Access Point Platforms Extensible Authentication Protocol Denial of Service Vulnerability
vendor_cisco·2017-11-01·CVSS 7.4
CVE-2017-12274 [HIGH] CWE-20 Cisco Aironet 1560, 2800, and 3800 Series Access Point Platforms Extensible Authentication Protocol Denial of Service Vulnerability
Cisco Aironet 1560, 2800, and 3800 Series Access Point Platforms Extensible Authentication Protocol Denial of Service Vulnerability
A vulnerability in Extensible Authentication Protocol (EAP) ingress frame processing for the Cisco Aironet 1560, 2800, and 3800 Series Access Points could allow an unauthenticated, Layer 2 radio frequency (RF) adjacent attacker to cause the Access Point (AP) to reload, resulting in a denial of service (DoS) condition.
The vulnerability is due to insufficient validation of the EAP frame. An attacker could exploit this vulnerability by sending a malformed EAP frame to the targeted device. A successful exploit could allow the attacker to cause the AP to reload, resulting in a DoS condition while the AP is reloading. It may be necessary to manually power cycle t
Cisco
Cisco Aironet 1800, 2800, and 3800 Series Access Points Plug-and-Play Arbitrary Code Execution Vulnerability
vendor_cisco·2017-05-03·CVSS 7.5
CVE-2017-3873 [HIGH] CWE-20 Cisco Aironet 1800, 2800, and 3800 Series Access Points Plug-and-Play Arbitrary Code Execution Vulnerability
Cisco Aironet 1800, 2800, and 3800 Series Access Points Plug-and-Play Arbitrary Code Execution Vulnerability
A vulnerability in the Plug-and-Play (PnP) subsystem of the Cisco Aironet 1800, 2800, and 3800 Series Access Points running a Lightweight Access Point (AP) or Mobility Express image could allow an unauthenticated, adjacent attacker to execute arbitrary code with root privileges.
The vulnerability is due to insufficient validation of PnP server responses. The PnP feature is only active while the device does not contain a configuration, such as a first time boot or after a factory reset has been issued. An attacker with the ability to respond to PnP configuration requests from the affected device can exploit the vulnerability by returning malicious PnP responses. If a Cisco Applicat
Debian
CVE-2017-2800: wolfssl - A specially crafted x509 certificate can cause a single out of bounds byte overw...
vendor_debian·2017·CVSS 9.8
CVE-2017-2800 [CRITICAL] CVE-2017-2800: wolfssl - A specially crafted x509 certificate can cause a single out of bounds byte overw...
A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3.10.2 resulting in potential certificate validation vulnerabilities, denial of service and possible remote code execution. In order to trigger this vulnerability, the attacker needs to supply a malicious x509 certificate to either a server or a client application using this library.
Scope: local
bookworm: resolved (fixed in 3.12.0+dfsg-1)
bullseye: resolved (fixed in 3.12.0+dfsg-1)
forky: resolved (fixed in 3.12.0+dfsg-1)
sid: resolved (fixed in 3.12.0+dfsg-1)
trixie: resolved (fixed in 3.12.0+dfsg-1)
Cisco
Cisco Aironet 1560, 2800, and 3800 Series Access Point Platforms Extensible Authentication Protocol Denial of Service Vulnerability
vendor_cisco·CVSS 3.0
CVE-2017-12274 Cisco Aironet 1560, 2800, and 3800 Series Access Point Platforms Extensible Authentication Protocol Denial of Service Vulnerability
CVE-2017-12274: Cisco Aironet 1560, 2800, and 3800 Series Access Point Platforms Extensible Authentication Protocol Denial of Service Vulnerability
A vulnerability in Extensible Authentication Protocol (EAP) ingress frame processing for the Cisco Aironet 1560, 2800, and 3800 Series Access Points could allow an unauthenticated, Layer 2 radio frequency (RF) adjacent attacker to cause the Access Point (AP) to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to insufficient validation of the EAP frame. An attacker could exploit this vulnerability by sending a malformed EAP frame to the targeted device. A successful exploit could allow the attacker to cause the AP to reload, resulting in a DoS condition while the AP is reloading. It may be necessary to manually
Cisco
Cisco Aironet 1800, 2800, and 3800 Series Access Points MAC Authentication Bypass Vulnerability
vendor_cisco·CVSS 3.0
CVE-2017-12281 Cisco Aironet 1800, 2800, and 3800 Series Access Points MAC Authentication Bypass Vulnerability
CVE-2017-12281: Cisco Aironet 1800, 2800, and 3800 Series Access Points MAC Authentication Bypass Vulnerability
A vulnerability in the implementation of Protected Extensible Authentication Protocol (PEAP) functionality for standalone configurations of Cisco Aironet 1800, 2800, and 3800 Series Access Points could allow an unauthenticated, adjacent attacker to bypass authentication and connect to an affected device. The vulnerability exists because the affected device uses an incorrect default configuration setting of fail open when running in standalone mode. An attacker could exploit this vulnerability by attempting to connect to an affected device. A successful exploit could allow the attacker to bypass authentication and connect to the affected device. There are no
CVSS: 3.0
CWE: CWE-287
Cisco
Cisco Aironet 1560, 2800, and 3800 Series Access Point Platforms 802.11 Denial of Service Vulnerability
vendor_cisco·CVSS 3.0
CVE-2017-12273 Cisco Aironet 1560, 2800, and 3800 Series Access Point Platforms 802.11 Denial of Service Vulnerability
CVE-2017-12273: Cisco Aironet 1560, 2800, and 3800 Series Access Point Platforms 802.11 Denial of Service Vulnerability
A vulnerability in 802.11 association request frame processing for the Cisco Aironet 1560, 2800, and 3800 Series Access Points could allow an unauthenticated, Layer 2 radio frequency (RF) adjacent attacker to cause the Access Point (AP) to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to insufficient frame validation of the 802.11 association request. An attacker could exploit this vulnerability by sending a malformed 802.11 association request to the targeted device. An exploit could allow the attacker to cause the AP to reload, resulting in a DoS condition while the AP is reloading. Cisco has released software updates that address th
Cisco
Cisco Aironet 1800, 2800, and 3800 Series Access Points Plug-and-Play Arbitrary Code Execution Vulnerability
vendor_cisco·CVSS 3.0
CVE-2017-3873 Cisco Aironet 1800, 2800, and 3800 Series Access Points Plug-and-Play Arbitrary Code Execution Vulnerability
CVE-2017-3873: Cisco Aironet 1800, 2800, and 3800 Series Access Points Plug-and-Play Arbitrary Code Execution Vulnerability
A vulnerability in the Plug-and-Play (PnP) subsystem of the Cisco Aironet 1800, 2800, and 3800 Series Access Points running a Lightweight Access Point (AP) or Mobility Express image could allow an unauthenticated, adjacent attacker to execute arbitrary code with root privileges. The vulnerability is due to insufficient validation of PnP server responses. The PnP feature is only active while the device does not contain a configuration, such as a first time boot or after a factory reset has been issued. An attacker with the ability to respond to PnP configuration requests from the affected device can exploit the vulnerability by returning malicious PnP responses. If a C
No detection rules found.
Exploit-DB
Cisco IOS - Remote Code Execution
exploitdb·2018-01-05·CVSS 8.8
CVE-2017-6736 [HIGH] Cisco IOS - Remote Code Execution
Cisco IOS - Remote Code Execution
---
#!/usr/bin/env python
if False: '''
CVE-2017-6736 / cisco-sa-20170629-snmp Cisco IOS remote code execution
This repository contains Proof-Of-Concept code for exploiting remote code execution vulnerability in SNMP service disclosed by Cisco Systems on June 29th 2017 -
Description
RCE exploit code is available for Cisco Integrated Service Router 2811. This exploit is firmware dependent. The latest firmware version is supported:
- Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M12a, RELEASE SOFTWARE (fc1)
ROM Monitor version:
- System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Read-only community string is required to trigger the vulnerability.
Shellcode
The exploit requires shellcode as HEX input.
Exploit-DB
wolfSSL 3.10.2 - x509 Certificate Text Parsing Off-by-One
exploitdb·2017-05-09·CVSS 9.8
CVE-2017-2800 [CRITICAL] wolfSSL 3.10.2 - x509 Certificate Text Parsing Off-by-One
wolfSSL 3.10.2 - x509 Certificate Text Parsing Off-by-One
---
TALOS-2017-0293
WOLFSSL LIBRARY X509 CERTIFICATE TEXT PARSING CODE EXECUTION VULNERABILITY
MAY 8, 2017
CVE-2017-2800
SUMMARY
An exploitable off-by-one write vulnerability exists in the x509 certificate parsing functionality of wolfSSL library versions up to 3.10.2. A specially crafted x509 certificate can cause a single out of bounds byte overwrite resulting in potential certificate validation vulnerabilities, denial of service and possible remote code execution. In order to trigger this vulnerability, the attacker needs to supply a malicious x509 certificate to either server or client application using this library.
TESTED VERSIONS
WolfSSL 3.10.2
PRODUCT URLS
https://www.wolfssl.com
CVSSV3 SCORE
8.1 - CVSS:3.0/AV:N/AC:H/P
Talos
Vulnerability Spotlight: WolfSSL library X.509 Certificate Text Parsing Code Execution Vulnerability
blogs_talos·2017-05-08
Vulnerability Spotlight: WolfSSL library X.509 Certificate Text Parsing Code Execution Vulnerability
Discovered by Aleksandar Nikolic of Cisco Talos
### Overview
Talos is disclosing TALOS-2017-0293 / CVE 2017-2800, a code execution vulnerability in WolfSSL. WolfSSL is a lightweight SSL/TLS library targeted specifically for embedded and RTOS (Real-Time Operating System) environments, due largely to its small size and performance. WolfSSL is used in a wide range of products including ICS and IoT devices.
This particular vulnerability is related to the use of x.509 certificates and the code that deals with string fields in DER certificates. Specifically the code responsible for parsing 'commonName', 'countryName', 'localityName', 'stateName', 'orgName', and 'orgUnit'. A specially crafted x.509 certificate can cause a single out-of-bounds overwrite that could result in certificate validati
Talos
Vulnerability Spotlight: WolfSSL library X.509 Certificate Text Parsing Code Execution Vulnerability
blogs_talos·2017-05-08
Vulnerability Spotlight: WolfSSL library X.509 Certificate Text Parsing Code Execution Vulnerability
## Vulnerability Spotlight: WolfSSL library X.509 Certificate Text Parsing Code Execution Vulnerability
Discovered by Aleksandar Nikolic of Cisco Talos
## Overview
Talos is disclosing TALOS-2017-0293 / CVE 2017-2800, a code execution vulnerability in WolfSSL. WolfSSL is a lightweight SSL/TLS library targeted specifically for embedded and RTOS (Real-Time Operating System) environments, due largely to its small size and performance. WolfSSL is used in a wide range of products including ICS and IoT devices.
This particular vulnerability is related to the use of x.509 certificates and the code that deals with string fields in DER certificates. Specifically the code responsible for parsing 'commonName', 'countryName', 'localityName', 'stateName', 'orgName', and 'orgUnit'. A specially crafte
2017-05-24
Published