Vulnerability Details : CVE-2019-11873
wolfSSL 4.0.0 has a Buffer Overflow in DoPreSharedKeys in tls13.c when a current identity size is greater than a client identity size. An attacker sends a crafted hello client packet over the network to a TLSv1.3 wolfSSL server. The length fields of the packet: record length, client hello length, total extensions length, PSK extension length, total identity length, and identity length contain their maximum value which is 2^16. The identity data field of the PSK extension of the packet contains the attack data, to be stored in the undefined memory (RAM) of the server. The size of the data is about 65 kB. Possibly the attacker can perform a remote code execution attack.
Vulnerability category: OverflowMemory CorruptionExecute code
Products affected by CVE-2019-11873
- cpe:2.3:a:wolfssl:wolfssl:4.0:-:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-11873
7.68%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 94 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-11873
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2019-11873
-
The product writes data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-11873
-
https://www.telekom.com/resource/blob/572524/1c89c1cbaccdf792153063b3a10af10e/dl-190515-remote-buffer-overflow-vulnerability-wolfssl-library-data.pdf
Patch;Third Party Advisory
-
https://www.telekom.com/en/corporate-responsibility/data-protection-data-security/security/details/advisories-504842
Advisories | Deutsche TelekomThird Party Advisory
-
http://www.securityfocus.com/bid/108466
wolfSSL CVE-2019-11873 Stack Buffer Overflow VulnerabilityBroken Link
Jump to