The CVE-2022-41724 vulnerability has been discovered within the crypto/tls library of the Go standard library. This bug causes servers and clients to panic when large TLS handshake records are sent between them, leading to potential Denial-of-Service (DoS) attacks. In this post, we will delve into the details of the vulnerability, including the affected versions, exploit details, and the code snippet. We will also discuss mitigation strategies and provide links to the original references for further understanding.

Exploit Details

The exploit revolves around the handling of large TLS handshake records by the crypto/tls library. Specifically, affected versions of the library do not properly handle oversized handshake messages, which may lead to panics in TLS clients and servers.

All TLS 1.3 clients

2. TLS 1.2 clients with session resumption enabled (by setting Config.ClientSessionCache to a non-nil value)

Here is a code snippet from the Go standard library showcasing the issue

// crypto/tls/handshake_messages.go
func (m *clientHelloMsg) marshal() []byte {
    ...
    if m.ticketSupported {
        // If the ticketSupported flag is active, the server will attempt
        // to marshal the session ticket extension.
        sessionTicket := m.sessionTicket
        if !m.secure {
            sessionTicket = bytes.Repeat([]byte{}, maxSessionTicketLen)
        }
        extensions = appendTLSExtension(extensions, extensionSessionTicket, sessionTicket)
    }
    ...
}

// crypto/tls/tls_extensions.go
func appendTLSExtension(out []byte, extensionType uint16, extensionData []byte) []byte {
    l := len(extensionData)
    if l > maxExtensionLen {
        panic("extension data is too large")
    }
    ...
}

In the marshal function (in handshake_messages.go), the session ticket is padded with zeros if it's not secure, potentially causing it to exceed the maximum allowed size (maxSessionTicketLen). This issue, in turn, triggers a panic when calling the appendTLSExtension function (in tls_extensions.go), which checks if the extension data length is larger than the allowed maximum (maxExtensionLen).

Original References

- Go security advisory: golang.org/issue/50784
- Go security fix commit: github.com/golang/go/commit/766a60560d8b8ed2a5ad7456f88cd40b25a88da4

Mitigation Strategies

To protect your Go applications from this vulnerability, you should update your Go version to the latest patched release, which includes the security fix for CVE-2022-41724. The patched releases are:

Go 1.17.6

The Go security advisory also recommends disabling session tickets for insecure servers in your configuration:

tlsConfig := &tls.Config{
    ...
    ClientSessionCache: nil, // Disable session tickets for TLS 1.2 clients
}

For TLS 1.3 servers, you can disable client certificates requests to avoid being affected by the vulnerability:

tlsConfig := &tls.Config{
    ...
    ClientAuth: tls.NoClientCert, // Disable client certificates requests for TLS 1.3 servers
}

Follow the provided references and apply the necessary patches to your Go applications to safeguard them from potential attacks. Stay security-conscious and always keep your applications up-to-date with the latest security fixes.

Timeline

Published on: 02/28/2023 18:15:00 UTC
Last modified on: 03/10/2023 04:58:00 UTC