CVE-2020-12457 — Infinite Loop in Wolfssl

CWE-835 — Infinite Loop CWE-20 — Improper Input Validation4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 35.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wolfssl Debian Wolfssl

Timeline

PublishedAug 21

Latest updateMay 24

Description

An issue was discovered in wolfSSL before 4.5.0. It mishandles the change_cipher_spec (CCS) message processing logic for TLS 1.3. If an attacker sends ChangeCipherSpec messages in a crafted way involving more than one in a row, the server becomes stuck in the ProcessReply() loop, i.e., a denial of service.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/wolfssl< wolfssl 4.5.0+dfsg-1 (bookworm)

▶NVDwolfssl/wolfssl< 4.5.0

▶Debianwolfssl/wolfssl< 4.5.0+dfsg-1+3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-85m8-xxmw-3hpv: An issue was discovered in wolfSSL before 4↗2022-05-24

▶

OSV

CVE-2020-12457: An issue was discovered in wolfSSL before 4↗2020-08-21

▶

📋Vendor Advisories

Debian

CVE-2020-12457: wolfssl - An issue was discovered in wolfSSL before 4.5.0. It mishandles the change_cipher...↗2020

▶