wolfSSL Session Resumption Denial Of Service
wolfSSL versions prior to 5.5.0 suffer from a denial of service condition related to session resumption. When a TLS 1.3 client connects to a wolfSSL server and SSL_clear is called on its session, the server crashes with a segmentation fault. The bug occurs after a client performs a handshake
against a wolfSSL server and then closes the connection. If the server
reuses the previous session structure (struct WOLFSSL) by calling wolfSSL_clear(WOLFSSL* ssl) on it, the next received Client Hello,
which resumes the previous session, crashes the server. Note, that this
bug only exists in resumed handshakes using TLS session resumption. This
bug was discovered using the novel symbolic-model-guided fuzzer tlspuffin.
https://packetstormsecurity.com/files/170604/wolfsslsession-dos.txt
Fri, 20 Jan 2023 15:27:00 GMT
________________________________
--- The information is for inforamtional purposes only.
* Origin: Read us with
http://winpoint.org JID:
rs@captflint.com