At Rambus, we create cutting-edge semiconductor and IP products, spanning memory and interfaces to security, smart sensors and lighting.
| Title | Buffer Overflow in MatrixSSL (TLS Toolkit) |
| Rambus Tracking ID | RMBS-2022-01 |
| CVE (if applicable) | CVE-2022-43974 |
| Publication Date (YYYY-MM-DD) | 2022-12-29 |
Background
A security vulnerability has been identified in the Rambus TLS Toolkit software and MatrixSSL (TLS Toolkit), formerly from Inside Secure. A patch which remediates the vulnerability is available and has been distributed to existing customers that are affected.
Vulnerability Description
A buffer overflow could occur wherein an attacker could overwrite the data in RAM of a server running MatrixSSL (TLS Toolkit) via a network connection.
Using a specially crafted packet, it is possible to fool the TLS1.3 ‘change cipher spec’ processing to cause an integer overflow. The problem exists in the implementation of the matrixSslDecodeTls13() function in all MatrixSSL (TLS Toolkit) versions that support TLS1.3.
Severity Level
This is considered a Critical bug.
Impact
An attacker could possibly exploit this vulnerability to install and execute malicious code. This vulnerability could also be used for denial-of-service attack.
Affected Products
| Product Name | Versions |
| MatrixSSL (TLS Toolkit) | 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.4.0, 4.5.0, 4.5.1, 4.5.2, 4.5.3 (if TLS1.3 is enabled) |
| SafeZone FIPS140-2 Complete | 10.5.0, 10.5.1, 10.5.2, 10.5.3 if MatrixSSL is used and TLS1.3 is enabled |
| SafeZone FIPS140-3 Complete | 10.5.0, 10.5.1, 10.5.2, 10.5.3 if MatrixSSL is used and TLS1.3 is enabled |
| SafeZone FIPS SW Toolkit | 10.3.0, 10.4.0 if MatrixSSL is used and TLS1.3 is enabled |
| Inside Secure FIPS SW Toolkit | 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.2.1 10.2.2 if MatrixSSL is used and TLS1.3 is enabled |
| SafeZone FIPS SW Toolkit FIPS_140-3_rc3 | 10.4.x if MatrixSSL is used and TLS1.3 is enabled |
| TLS FIPS Toolkit | 4.3.0, 4.4.0, 4.5.0, 4.5.1, 4.5.2, 4.5.3 (if TLS1.3 is enabled) |
Unaffected Products
| Product Name | Versions |
| MatrixSSL (TLS Toolkit) | 3.x and before |
| SafeZone FIPS SW Toolkit | 9.x and before |
Remediation
Rambus has developed patched versions of MatrixSSL (TLS Toolkit) that addresses the vulnerability. The patch adds a check to the ‘change cipher spec’ processing so that buffer overflow will not happen, instead the connection is closed.
Action Taken
Rambus is providing an update that fixes security issues in MatrixSSL. As this is a critical issue, Rambus will pre-notify TLS Toolkit customers directly and provide a patch before publishing the MatrixSSL update.
An updated package – version 4.6.0 – released in GitHub on 29th December 2022. (https://github.com/matrixssl/matrixssl)
No further information about the issues will be provided.
Acknowledgement
The vulnerability was found by Robert Hörr and Alissar Ibrahim, Security Evaluators of the Telekom Security Evaluation Facility.
For any inquiries, please contact Rambus.
Revision History
| Version | Description | Status | Date (YYYY-MM-DD) |
| 1.0 | Initial Public Release | Completed | 2022-12-29 |
Legal Disclosure
The patch described herein was developed as a workaround/solution to a recently-identified vulnerability and has received limited testing. Consequently, THIS PATCH IS PROVIDED “AS IS.” RAMBUS MAKES NO WARRANTY NOR PROMISE ABOUT THE OPERATION OR PERFORMANCE OF THIS PATCH, NOR DOES IT WARRANT THAT THIS PATCH IS ERROR FREE. RAMBUS DISCLAIMS ALL IMPLIED AND STATUTORY WARRANTIES, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, NON INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE.
