TitleBuffer Overflow in MatrixSSL (TLS Toolkit)
Rambus Tracking IDRMBS-2022-01
CVE (if applicable)CVE-2022-43974
Publication Date
(YYYY-MM-DD)
2022-12-29

Background
A security vulnerability has been identified in the Rambus TLS Toolkit software and MatrixSSL (TLS Toolkit), formerly from Inside Secure. A patch which remediates the vulnerability is available and has been distributed to existing customers that are affected.

Vulnerability Description
A buffer overflow could occur wherein an attacker could overwrite the data in RAM of a server running MatrixSSL (TLS Toolkit) via a network connection.

Using a specially crafted packet, it is possible to fool the TLS1.3 ‘change cipher spec’ processing to cause an integer overflow. The problem exists in the implementation of the matrixSslDecodeTls13() function in all MatrixSSL (TLS Toolkit) versions that support TLS1.3.

Severity Level
This is considered a Critical bug.

Impact
An attacker could possibly exploit this vulnerability to install and execute malicious code. This vulnerability could also be used for denial-of-service attack.

Affected Products

Product NameVersions
MatrixSSL (TLS Toolkit)4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.4.0, 4.5.0, 4.5.1, 4.5.2, 4.5.3 (if TLS1.3 is enabled)
SafeZone FIPS140-2 Complete10.5.0, 10.5.1, 10.5.2, 10.5.3
if MatrixSSL is used and TLS1.3 is enabled
SafeZone FIPS140-3 Complete10.5.0, 10.5.1, 10.5.2, 10.5.3
if MatrixSSL is used and TLS1.3 is enabled
SafeZone FIPS SW Toolkit10.3.0, 10.4.0
if MatrixSSL is used and TLS1.3 is enabled
Inside Secure FIPS SW Toolkit10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.2.1 10.2.2
if MatrixSSL is used and TLS1.3 is enabled
SafeZone FIPS SW Toolkit FIPS_140-3_rc310.4.x if MatrixSSL is used and TLS1.3 is enabled
TLS FIPS Toolkit4.3.0, 4.4.0, 4.5.0, 4.5.1, 4.5.2, 4.5.3 (if TLS1.3 is enabled)

Unaffected Products

Product NameVersions
MatrixSSL (TLS Toolkit)3.x and before
SafeZone FIPS SW Toolkit9.x and before

Remediation
Rambus has developed patched versions of MatrixSSL (TLS Toolkit) that addresses the vulnerability. The patch adds a check to the ‘change cipher spec’ processing so that buffer overflow will not happen, instead the connection is closed.

Action Taken
Rambus is providing an update that fixes security issues in MatrixSSL. As this is a critical issue, Rambus will pre-notify TLS Toolkit customers directly and provide a patch before publishing the MatrixSSL update.

An updated package – version 4.6.0 – released in GitHub on 29th December 2022. (https://github.com/matrixssl/matrixssl)

No further information about the issues will be provided.

Acknowledgement
The vulnerability was found by Robert Hörr and Alissar Ibrahim, Security Evaluators of the Telekom Security Evaluation Facility.

For any inquiries, please contact Rambus.

Revision History

VersionDescriptionStatusDate (YYYY-MM-DD)
1.0Initial Public ReleaseCompleted2022-12-29

Legal Disclosure
The patch described herein was developed as a workaround/solution to a recently-identified vulnerability and has received limited testing.  Consequently, THIS PATCH IS PROVIDED “AS IS.” RAMBUS MAKES NO WARRANTY NOR PROMISE ABOUT THE OPERATION OR PERFORMANCE OF THIS PATCH, NOR DOES IT WARRANT THAT THIS PATCH IS ERROR FREE.  RAMBUS DISCLAIMS ALL IMPLIED AND STATUTORY WARRANTIES, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, NON INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE.