CVE-2022-39173: 
NixOS vulnerability analysis and mitigation

In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow during a TLS 1.3 handshake when attempting to resume a previous TLS session. The vulnerability (CVE-2022-39173) was discovered by Max at Trail of Bits and Lucca Hirschi from LORIA, Inria, France using the tlspuffin tool. This issue affects TLS 1.3 servers with session ticket resumption enabled (Trail of Bits Blog, CVE Details).

The buffer overflow occurs in the RefineSuites function when processing cipher suites during a resumed TLS 1.3 handshake. The vulnerability is triggered when a malicious client sends two specially crafted Client Hello messages containing duplicate cipher suites: one pretending to resume a previous session, and another in response to a Hello Retry Request. If the Client Hellos contain at least 13 duplicate cipher suites (but less than 150 total), the second invocation of RefineSuites can write beyond the allocated buffer size of WOLFSSL_MAX_SUITE_SZ (300 bytes). An overflow of up to 44,700 bytes has been confirmed (Trail of Bits Blog).

The vulnerability allows malicious clients to cause a buffer overflow on TLS 1.3 servers, potentially leading to denial of service. While the potential for remote code execution exists on certain architectures or targets, this has not been confirmed. The overflow can overwrite large portions of the stack, including return addresses (wolfSSL Security).

Users running TLS 1.3 servers with session ticket resumption enabled should update to wolfSSL version 5.5.1 or later to address this vulnerability. The issue was fixed in version 5.5.1 released in September 2022 (wolfSSL Security).