CVE-2022-25638 - Certificate Validation Bypass in wolfSSL before 5.2. with TLS 1.3 Connections

Summary: In this post, we will discuss the details of a critical vulnerability, CVE-2022-25638, present in wolfSSL before version 5.2.. This vulnerability allows attackers to bypass certificate validation when a TLS 1.3 client tries to authenticate with a TLS 1.3 server. We will delve into the root cause, present a code snippet, and explain how the exploit works, as well as provide links to the original references.

Introduction:
The security of internet communications primarily depends on the use of the Transport Layer Security (TLS) protocol to ensure confidentiality and integrity of data transmitted between clients and servers. At the core of TLS's security is the process of certificate validation. A recent vulnerability, CVE-2022-25638, discovered in the widely-used TLS library wolfSSL before version 5.2., exposes a weakness in certificate validation.

Background:
wolfSSL is a popular open-source TLS library used in various applications, including IoT devices, web servers, and more, to establish secure connections through the TLS protocol. In versions before 5.2., a vulnerability has been identified, which allows attackers to bypass certificate validation during the authentication process. This can lead to man-in-the-middle attacks, eavesdropping, and unauthorized access.

Exploit Details:
CVE-2022-25638 occurs when the sig_algo field in the TLS connection's certificate_verify message differs from the sig_algo field in the certificate message. The certificate_verify message is used to prevent tampering with the certificate and to prove the authenticity of the client or server. If a discrepancy in the sig_algo fields of these two messages goes unnoticed, an attacker could potentially present a fraudulent certificate, bypassing the validation process.

The root cause of this vulnerability lies in the following code snippet from wolfSSL's ssl/ssl_cert.c file:

int CheckCertValidity(DecodedCert* cert, Signer* ca, byte sigAlgo) {
    /* Check signature algorithm */
    if (cert->sigAlgo != sigAlgo) {
        return ASN_SIG_ALGO_E;
    }

    /*... perform other checks ...*/
}

The function CheckCertValidity is responsible for comparing the certificate's signature algorithm with the expected algorithm. However, it fails to catch differences in the sig_algo fields when both are related to the same algorithm but have different encoding.

To exploit this vulnerability

1. An attacker creates a malicious certificate with a sig_algo field in the certificate message that differs from the one present in the certificate_verify message. For instance, they could use a different encoding or modify some parameters within the algorithm.
2. When a TLS 1.3 connection is established between the client and the server, the attacker presents the malicious certificate.
3. The affected wolfSSL version does not catch the difference in the sig_algo fields, thus allowing the attacker to bypass certificate validation.

References:

For more information on CVE-2022-25638, you can check out the following resources

1. Original disclosure of the vulnerability: https://seclists.org/oss-sec/2022/q1/129
2. Official wolfSSL GitHub repository with release notes: https://github.com/wolfSSL/wolfssl/releases
3. The CVE repository: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25638

Conclusion

To protect your applications from CVE-2022-25638, it is highly recommended to update your wolfSSL library to version 5.2. or later. Security researchers and developers should closely monitor for any discrepancies in message fields during the TLS handshake process, as they could potentially lead to severe vulnerabilities such as this one.

Timeline

Published on: 02/24/2022 15:15:00 UTC
Last modified on: 03/04/2022 16:48:00 UTC