Improper Certificate Validation Affecting wolfssl package, versions <5.6.2-r0


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.09% (39th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-ALPINE321-WOLFSSL-8490220
  • published6 Dec 2024
  • disclosed17 Jul 2023

Introduced: 17 Jul 2023

CVE-2023-3724  (opens in a new tab)
CWE-295  (opens in a new tab)

How to fix?

Upgrade Alpine:3.21 wolfssl to version 5.6.2-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream wolfssl package and not the wolfssl package as distributed by Alpine. See How to fix? for Alpine:3.21 relevant fixed versions and status.

If a TLS 1.3 client gets neither a PSK (pre shared key) extension nor a KSE (key share extension) when connecting to a malicious server, a default predictable buffer gets used for the IKM (Input Keying Material) value when generating the session master secret. Using a potentially known IKM value when generating the session master secret key compromises the key generated, allowing an eavesdropper to reconstruct it and potentially allowing access to or meddling with message contents in the session. This issue does not affect client validation of connected servers, nor expose private key information, but could result in an insecure TLS 1.3 session when not controlling both sides of the connection. wolfSSL recommends that TLS 1.3 client side users update the version of wolfSSL used.

CVSS Scores

version 3.1