CVE-2022-25640: wolfSSL Undue Bypass of Mutual Authentication in TLS 1.3

The recent discovery of a vulnerability in wolfSSL (CVE-2022-25640) brings to light a pertinent issue that has long been plaguing the security of web applications secured by the popular embedded TLS library. Dating back to versions prior to 5.2., wolfSSL's TLS 1.3 server implementation falls short of enforcing proper mutual authentication, thereby allowing a client to neglect the presentation of their certificate. This article will delve into the details surrounding this exploit as well as the relevant code snippets and original references that will enable our readers to stay informed and secure.

The exploit

In a typical TLS 1.3 handshake, both the client and server are expected to authenticate themselves to each other for a secure communication channel to be established. This is usually achieved through the exchange of certificates and cryptographic keys. However, when using wolfSSL prior to version 5.2., an attacker can craftily bypass this requirement by merely omitting the "certificate_verify" message from the handshake process, consequently undermining the server's trust in the client's identity.

This oversight in mutual authentication enforcement can lead to potential security breaches, especially in sensitive applications where proper client authentication is paramount to maintaining a secure environment.

The issue lies in the DoCertificateVerify function of the tls13.c file

static int DoCertificateVerify(WOLFSSL* ssl, const byte* input, word32* inOutIdx, byte bVerify)
{
...
    if (ssl->options.serverState == SERVER_CERTIFICATE_VERIFY_COMPLETE)
    {
        ret = TLSX_UsePSK(ssl, 1);

    #ifndef WOLFSSL_NO_TLS12
        if (ret == NOT_COMPILED_IN)
            ret = TLSX_UseSupportedCurve(ssl, 1);
    #endif

        if (ret != )
            return ret;
...

As evident from the code above, the server's state checks if the SERVER_CERTIFICATE_VERIFY_COMPLETE flag is set, which indicates that the client has sent a certificate_verify message. Nonetheless, the implementation fails to ensure that the message is indeed received and processed, which consequently allows a client to bypass mutual authentication.

References

1. wolfSSL GitHub Repository
2. NVD - CVE-2022-25640
3. Mitre CVE-2022-25640

Mitigation

To addresses this vulnerability, users are urged to upgrade their wolfSSL implementation to version 5.2. or later. You can download the latest version of wolfSSL from their official download page.

In conclusion, CVE-2022-25640 serves as a reminder of the importance of continuous testing and auditing for security vulnerabilities in widely adopted security libraries. By keeping up to date with the latest security patches, users can ensure that their applications are well guarded against potential exploitation by ill-intentioned actors.

Timeline

Published on: 02/24/2022 15:15:00 UTC
Last modified on: 03/04/2022 16:55:00 UTC