At Rambus, we create cutting-edge semiconductor and IP products, spanning memory and interfaces to security, smart sensors and lighting.
| Title | Remote denial of service vulnerability in MatrixSSL (TLS Toolkit) |
| Rambus Tracking ID | RMBS-2023-03 |
| CVE (if applicable) | |
| Publication Date (YYYY-MM-DD) | 2023-06-01 |
Background
A security vulnerability has been identified in the Rambus TLS Toolkit software and its open-source version, MatrixSSL (TLS Toolkit) (formerly from Inside Secure). A release which remediates the vulnerability is available and has been distributed to existing customers that are affected.
Vulnerability Description
The vulnerability is located in the TLSv1.3 pre-shared-key extension parsing of the TLS-Client-Hello message. The function tls13VerifyBinder() executes the following function:
//prototype
int32_t tls13TranscriptHashUpdate(ssl_t *ssl,
const unsigned char *in,
psSize_t len)
//execution
tls13TranscriptHashUpdate(ssl,
ssl->sec.tls13CHStart,
ssl->sec.tls13CHLen – ssl->sec.tls13BindersLen);
The input parameter of the execution contains the subtraction:
ssl->sec.tls13CHLen -ssl->sec.tls13BindersLen.
At this point, a short integer (psSize_t len) wrap around can happen, because the datatype psSize_t is unsigned short integer and there is no length check to avoid it. In worst case, the variable len gets the value 65535 and the attacked device will calculate a hash like SHA-2 over at least 65 kilobytes RAM data.
Severity Level
This is considered a High severity bug.
Impact
The vulnerability allows an attacker to execute a hash (e.g. SHA-2) over at least 65 kilobytes RAM
data per TLS-Client-Hello message. With a large number of messages, the CPU is heavily loaded and can lead to a DoS attack.
Affected Products
| Product Name | Version(s) |
| MatrixSSL (TLS Toolkit) | 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.4.0, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0 (if TLS1.3 is enabled) |
| SafeZone FIPS140-2 Complete | 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.6.0 if MatrixSSL is used and TLS1.3 is enabled |
| SafeZone FIPS140-3 Complete | 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.6.0 if MatrixSSL is used and TLS1.3 is enabled |
| SafeZone FIPS SW Toolkit | 10.3.0, 10.4.0 if MatrixSSL is used and TLS1.3 is enabled |
| Inside Secure FIPS SW Toolkit | 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.2.1 10.2.2 if MatrixSSL is used and TLS1.3 is enabled |
| SafeZone FIPS SW Toolkit FIPS_140-3_rc3 | 10.4.x if MatrixSSL is used and TLS1.3 is enabled |
| TLS FIPS Toolkit | 4.3.0, 4.4.0, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0 (if TLS1.3 is enabled) |
Unaffected Products
| Product Name | Version(s) |
| MatrixSSL (TLS Toolkit) | 3.x and before |
| SafeZone FIPS SW Toolkit | 9.x and before |
Remediation
Rambus has developed patched versions of MatrixSSL (TLS Toolkit) that addresses the vulnerability. The fix checks if there would be a wraparound and, in that case, returns alert 50 (decode error).
Action Taken
Rambus is planning an update that fixes security issues in the open source MatrixSSL version but as this is a high severity issue, we will pre-notify TLS Toolkit customers directly and provide a patch or new release before publishing the MatrixSSL update.
An updated package – version 4.7.0 – will be released to GitHub on 2023-07-04. (https://github.com/matrixssl/matrixssl)
No further information about the issues will be provided.
Acknowledgement
The vulnerability was found by Robert Hörr and Alissar Ibrahim, Security Evaluators of the Telekom Security Evaluation Facility.
For any inquiries, please contact Rambus.
Revision History
| Version | Description | Status | Date (YYYY-MM-DD) |
| 1.2 | Initial Public Release | Final | 2023-06-01 |
