Security Advisory 2022-10-04-1 - wolfSSL buffer overflow during a TLS 1.3 handshake (CVE-2022-39173)

ynezz · October 6, 2022, 11:34am

There is a remotely exploitable security issue in wolfSSL library prior to version 5.5.1. In default configuration this applies to OpenWrt releases 21.02 and 22.03, which have LuCI web user interface exposed to local area network clients over HTTPS by uhttpd web server.

Full advisory can be found on a dedicated wiki page.

Package upgrade using command line

You need to update the affected packages you're using with the command below.

opkg update; opkg upgrade libwolfssl libustream-wolfssl
In order to apply the update, you need to either reboot your device or restart affected uhttpd service:

/etc/init.d/uhttpd restart
Then it's recommended to double check, that you're using a fixed version of packages.

opkg list-installed | grep wolfssl

The above command output should contain following fixed versions:

OpenWrt development snapshot

libustream-wolfssl20201210 - 2022-01-16-868fd881-1
libwolfssl5.5.1.e624513f - 5.5.1-stable-8

OpenWrt 22.03 release:

libustream-wolfssl20201210 - 2022-01-16-868fd881-2
libwolfssl5.5.1.ee39414e - 5.5.1-stable-3

OpenWrt 21.02 release:

libustream-wolfssl20201210 - 2022-01-16-868fd881-2
libwolfssl5.5.1.99a5b54a - 5.5.1-stable-2

mobartz · October 6, 2022, 12:26pm

On my 21.02.3 TP-Link C7v4, after I do opkg update; opkg upgrade libwolfssl libustream-wolfssl , I am still seeing this:

root@Filadelfo:~# opkg list-installed | grep wolfssl
libustream-wolfssl20201210 - 2022-01-16-868fd881-1
libwolfssl5.2.0.99a5b54a - 5.2.0-stable-2
px5g-wolfssl - 3
wpad-basic-wolfssl - 2020-06-08-5a8b3662-40

Are the download sites just not updated yet?

Thanks,
Mike

Naftali · October 6, 2022, 12:47pm

I would like to thank you very much for informing us about this vulnerability. I usually never do updates, I only install new releases.

Have a nice day and greetings to the developers

rhester72 · October 6, 2022, 3:03pm

Instructions need to be upgraded to update package px5g-wolfssl to fully remove the dependency on libwolfssl5.4.0.ee39414e.

dubefab · October 6, 2022, 3:05pm

I see:
root@OpenWrt:~# opkg list-installed | grep wolfssl


libustream-wolfssl20201210 - 2022-01-16-868fd881-2

libwolfssl5.4.0.ee39414e - 5.4.0-stable-5

libwolfssl5.5.1.ee39414e - 5.5.1-stable-3

px5g-wolfssl - 4

wpad-basic-wolfssl - 2022-01-16-cff80b4f-12

I seem to have extra packages, should I uninstall?

alistair · October 6, 2022, 3:10pm

Thank you for the patch.

I get the following output:

root@bthh5:~# opkg list-installed | grep wolfssl
libustream-wolfssl20201210 - 2022-01-16-868fd881-2
libwolfssl5.4.0.ee39414e - 5.4.0-stable-5
libwolfssl5.5.1.ee39414e - 5.5.1-stable-3
px5g-wolfssl - 4
wpad-basic-wolfssl - 2022-01-16-cff80b4f-11

Regards,
Alistair

maurer · October 6, 2022, 4:17pm

I'd guess 19.07.10 is not affected (default packages) right?

rhester72 · October 6, 2022, 6:07pm

I would imagine so - the advisory specifically says all prior library versions contain the vulnerability.

ynezz · October 6, 2022, 6:57pm

Thank you for the report, should be ok now, please try again.

I was first thinking about using opkg list-upgradable | cut -d ' ' -f 1 | xargs opkg upgrade, but this could probably cause some side effects in some environments so I simply went with the hotfix for the vulnerable uhttpd service, did not wanted to confuse users with more steps then necessary.

Running opkg upgrade px5g-wolfssl wpad-basic-wolfssl; opkg remove libwolfssl5.4.0.ee39414e should be likely enough.

MooMan · October 7, 2022, 1:37am

Thanks for staying "sharp" on bugs and possible security issues & delivery of a Patch

maurer · October 7, 2022, 5:35am

I've read the Security Advisory and I know 19.07 is not supported anymore but I believe my question was quite specific - as there are no wolfssl libraries or dependencies in default 19.07.10 images there is no vulnerability, right ? I know you could optionally install wolfssl and dependent packages but that was not the point.

Bill · October 7, 2022, 9:45am

Having had the same output as @dubefab and @alistair :
Via LuCi I removed libwolfssl5.4.0.ee39414e with errors.

Then via Putty
opkg install px5g-wolfssl wpad-basic-wolfssl

Output now looks updated.

opkg list-installed | grep wolfssl
libustream-wolfssl20201210 - 2022-01-16-868fd881-2
libwolfssl5.5.1.ee39414e - 5.5.1-stable-3
px5g-wolfssl - 5.1
wpad-basic-wolfssl - 2022-01-16-cff80b4f-13.1

Thank you for authoring the Wiki and crediting the involved parties.

vstokesjr · October 7, 2022, 11:18am

After performing the upgrade steps outlined by the OP I have the following:

# opkg list-installed | grep wolfssl
libustream-wolfssl20201210 - 2022-01-16-868fd881-2
libwolfssl5.4.0.ee39414e - 5.4.0-stable-5
libwolfssl5.5.1.ee39414e - 5.5.1-stable-3
px5g-wolfssl - 4
wpad-basic-wolfssl - 2022-01-16-cff80b4f-11

I attempted to remove libwolfssl5.4.0.ee39414e and received the following:

# opkg remove libwolfssl5.4.0.ee39414e
No packages removed.
Collected errors:
 * print_dependents_warning: Package libwolfssl5.4.0.ee39414e is depended upon by packages:
 * print_dependents_warning: 	wpad-basic-wolfssl
 * print_dependents_warning: 	px5g-wolfssl
 * print_dependents_warning: These might cease to work if package libwolfssl5.4.0.ee39414e is removed.

 * print_dependents_warning: Force removal of this package with --force-depends.
 * print_dependents_warning: Force removal of this package and its dependents
 * print_dependents_warning: with --force-removal-of-dependent-packages.

Should we force the removal of libwolfssl5.4.0.ee39414e ?

EDIT
Following up after re-reading @Bill post more closely. I performed the following:

# opkg update
# opkg remove --force-removal-of-dependent-packages libwolfssl5.4.0.ee39414e
# opkg install px5g-wolfssl wpad-basic-wolfssl
# /etc/init.d/uhttpd restart

which yielded this:

# opkg list-installed | grep wolfssl
libustream-wolfssl20201210 - 2022-01-16-868fd881-2
libwolfssl5.5.1.ee39414e - 5.5.1-stable-3
px5g-wolfssl - 5.1
wpad-basic-wolfssl - 2022-01-16-cff80b4f-13.1

rhester72 · October 7, 2022, 3:00pm

Simply updating px5g-wolfssl (which is necessary!) will automatically remove libwolfssl5.4.0 cleanly, as the older version of px5g is what causes the (unnecessary) dependency.

AcidSlide · October 7, 2022, 6:34pm

I'm not sure if this is the correct thread for this but curl stopped working for https after updating the wolfssl packages.. I'm not sure how to fix the issue with curl

rhester72 · October 7, 2022, 7:14pm

It could be that curl was compiled against the older library. Check to see if there is an update to the curl package. (I'm guessing here, no direct knowledge.)

AcidSlide · October 7, 2022, 7:16pm

Already checked if there is an update but no new updates yet

rwl408 · October 7, 2022, 11:26pm

According to the wiki page, the requirement condition is "a malicious attacker in the same local network as the OpenWrt device". If all the clients in the same "local network" as the OpenWrt device are trustworthy, should I worry about the vulnerability? In my case, I am the only client of the OpenWrt router (22.3.0) and I don't expose LuCI to external networks.

Naftali · October 8, 2022, 3:18am

# opkg list-installed | grep wolfssl
libustream-wolfssl20201210 - 2022-01-16-868fd881-2
libwolfssl5.5.1.ee39414e - 5.5.1-stable-3
px5g-wolfssl - 5.1
wpad-basic-wolfssl - 2022-01-16-cff80b4f-13.1

Is my system OK?
I am unsure about the last 2