Description
Cesanta Mongoose before 7.22 contains an out-of-bounds read in the built-in TLS server function mg_tls_server_recv_hello(), which uses an attacker-controlled session_id_len byte from a TLS ClientHello as a buffer index without validating it against the length of received data. A remote, unauthenticated attacker can send a single crafted ClientHello with an oversized session id length to read past the receive buffer, crashing any HTTPS, MQTTS, or WSS service built on MG_TLS_BUILTIN.
Problem types
Product status
Any version before 7.22
Credits
Shukhratbek Uraiimov
References
github.com/cesanta/mongoose/releases/tag/7.22 (Mongoose 7.22 Release Notes)
github.com/cesanta/mongoose (Product)
github.com/...ommit/c288ac1f38424ffdd4d2fd5e1893fd4962642db3 (Patch Commit)
www.vulncheck.com/...-builtin-clienthello-session-id-parsing