CVE-2023-6937: 
wolfSSL vulnerability analysis and mitigation

CVE-2023-6937 affects wolfSSL versions prior to 5.6.6, where the software failed to verify that messages in a single (D)TLS record do not span key boundaries. The vulnerability was discovered and reported by Johannes Wilson from Sectra Communications and Linköping University (Vendor Advisory).

The vulnerability allowed combining (D)TLS messages using different keys into one (D)TLS record. The most severe case involved (D)TLS 1.3, where an unencrypted (D)TLS 1.3 record from the server containing a ServerHello message followed by the rest of the first server flight could be accepted by a wolfSSL client, despite the requirement that handshake messages after ServerHello should be encrypted. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability could potentially expose sensitive handshake information, as it allowed acceptance of unencrypted messages that should have been encrypted. However, the impact was limited as it did not compromise key negotiation or authentication mechanisms, which is why it received a low severity rating (Vendor Advisory).

The vulnerability has been fixed in wolfSSL version 5.6.6. Users are recommended to upgrade to this version or later to address the issue. The fix involves implementing proper checks to ensure messages in a single (D)TLS record do not span key boundaries (GitHub PR).