A heap overflow vulnerability has been found in wolfssl

Wolfssl is an TLS library mostly used in embedded Linux devices.
It is also used in the popular tool curl.
The small code base makes it very popular to use in various
IoT projects code base.

The vulnerability has been given the CVE of CVE-2019-18840.

Explanation of the vulnerability

Due to an incorrect parsing of ASN.1 certificates while
performing a handshake the GetName function in wolfcrypt/src/asn.c
allows the program to overwrite a memory address and cause
a heap overflow.

A malicious certificate will crash the program and if
more advancedly exploited the effect will lead to a
remote code execution.

wolfcrypt/src/asn.c:4505:

    void FreeDecodedCert(DecodedCert* cert)
    {
    ...
    if (cert->subjectName.fullName != NULL)
    XFREE(cert->subjectName.fullName, cert->heap, DYNAMIC_TYPE_X509);

wolfssl/wolfcrypt/asn.h:

    #define DOMAIN_COMPONENT_MAX 10
    #define DN_NAMES_MAX 9

    struct DecodedName {
    char* fullName;
    ...
    int loc[DOMAIN_COMPONENT_MAX + DN_NAMES_MAX];
    int locSz;
    };

    struct DecodedCert {
    ...
    DecodedName issuerName;
    DecodedName subjectName;

Source:
https://github.com/wolfSSL/wolfssl/issues/2555

External links:
WolfSSL wikipedia
heap overflow
https://github.com/wolfSSL/wolfssl/issues/2555
wolfssl.com

We at Firo believes strongly in that you should locate
the vulnerabilities within your network and patch them.
With Firo Solutions you can receive notifications about
new vulnerabilities that affects your system.

Stay up to date with Vulnerability Management and build cool things with our API

This blog post is part of the exploit of the day series
where we write a shorter description about interesting
exploits that we index.

Heap overflow in wolfssl CVE-2019-18840

A heap overflow vulnerability has been found in wolfssl

Explanation of the vulnerability

Firo Solutions Blog