Vulnerabilities in cryptographic libraries found through modern fuzzing

Recently patched vulnerabilities in MatrixSSL and wolfSSL, two open-source TLS/SSL implementations / libraries for embedded environments, have emphasized the great potential of using fuzzing to uncover security holes in implementations of cryptographic protocols.

CVE-2022-43974 and CVE-2022-42905

CVE-2022-43974 is a buffer overflow vulnerability found in MatrixSSL versions 4.5.1-4.0.0 that could allow information disclosure and remote code execution.

It was discovered and reported by Robert Hörr and Alissar Ibrahim, security evaluators with Deutsche Telekom’s IT Security Evaluation Facility, and has been patched in version 4.6.0, released in December 2022.

CVE-2022-42905 is a buffer over-read vulnerability found in wolfSSL versions 5.5.1 and earlier, and could result in exploitable crashes (but only if callback functions are enabled).

It was discovered and reported by Lucca Hirschi and Steve Kremer from LORIA, Inria (the French Institute for Research in Digital Science and Technology) and Max Ammann, a security engineer interning with Trail of Bits. It has been patched in wolfSSL version 5.5.2, released in October 2022.

Fuzzing cryptographic libraries to flag security flaws

In both cases, the researchers used fuzzing to find the flaws.

“Computer software is becoming more complex. So, it is almost impossible to perform a complete source code review with reasonable coverage. For this reason, modern fuzzing methods are used to discover vulnerabilities,” Deutsche Telekom’s security evaluators explained.

They fuzzed the MatrixSSL library with code coverage-guided fuzzers AFL and libFuzzer, and the vulnerability was found with AddressSanitizer, a tool for detecting memory errors. (Using those same tools, several years ago Hörr unearthed another buffer overflow in wolfSSL. He also developed the Fast Automated Software Testing framework for TLS libraries, combining the strengths of various fuzzing tools.)

“Code coverage based fuzzing combined with the AddressSanitizer is a powerful method to discover e.g., buffer overflows. With increasingly complex source codes, it is a resource-efficient alternative to source code reviews, because this fuzzing approach can be done mainly automatically. As there exist many approaches for fuzzing, it is the art of fuzzing to find the best approach,” Hörr and Ibrahim noted.

Ammann and his fellow researchers used a new protocol fuzzer called tlspuffin to automatically discover CVE-2022-42905 and three other vulnerabilities.

“Tlspuffin is a fuzzer inspired by formal protocol verification. Initially developed as part of my internship at LORIA, INRIA, France, it is especially targeted against cryptographic protocols like TLS or SSH,” he explained.

They used the fuzzer not only to discover new vulnerabilities in wolfSSL, but also to rediscover previously flagged logical vulnerabilities (e.g., FREAK) as a way to prove that tlspuffin works.

In an excellent write-up, Ammann went more in-depth about some of the discovered vulnerabilities and how the fuzzer found “weird states” and allowed them to find their source.

“It is challenging to fuzz implementations of cryptographic protocols. Unlike traditional fuzzing of file formats, cryptographic protocols require a specific flow of cryptographic and mutually dependent messages to reach deep protocol states,” he explained.

“Additionally, detecting logical bugs is a challenge on its own. The AddressSanitizer enables security researchers to reliably find memory-related issues. For logical bugs like authentication bypasses or loss of confidentiality no automated detectors exist.”

That’s why they created tlspuffin. Employing the decades-old Dolev–Yao model, which can be used for testing cryptographic protocols, it includes specific modifications so they could successfully fuzz concrete implementations of cryptographic protocols. Tlspuffin’s structure is also based on the LibAFL fuzzer.

“Before my internship at Trail of Bits, tlspuffin already supported fuzzing several versions of OpenSSL (including the version 1.0.1, which is vulnerable to Heartbleed) and LibreSSL,” Ammann noted. Since then, they have:

• Designed an interface that added the capability to fuzz arbitrary protocol libraries and added support for fuzzing wolfSSL
• Added support for fuzzing the SSH protocol, as well as libssh
• Added a security violations oracle that allows for the detection of security issues that do not lead to program crashes (e.g., authentication bypasses or protocol downgrades)
• Made changes that allowed them to more easily validate findings

Tlspuffin can now be used for testing the TLS and SSH protocols, and that integrating a new protocol into tlspuffin is possible, but “takes significant effort and requires an in-depth understanding of the protocol.” It can also be used by developers to write test suites.