Researchers have discovered several flaws in the MatrixSSL TLS stack used in IoT devices, two of which could let an attacker execute arbitrary code on a vulnerable device.
MatrixSSL is a small TLS/SSL stack that’s designed for use in embedded systems and other constrained environments. The software can run in low-memory environments, which has made it attractive to manufacturers of IoT devices. Researchers at Cisco’s Talos team decided to take a look at the security of the software and discovered three separate vulnerabilities in version 3.8.7b, including two buffer overflows.
The two buffer overflows are quite similar and both involve the way that the software parses certain extensions.
“MatrixSSL is susceptible to a heap based buffer overflow due to a vulnerability in the ‘parsePolicyMappings’ function while parsing the x509 SubjectDomainPolicy PolicyMappings extension. When parsing x509 certificates in DER format, a fixed size heap allocation occurs,” Cisco’s post on the flaws says.
“Many of the embedded systems potentially affected by these vulnerabilities lack modern heap exploitation mitigations.”
“In situations where the received encoded OID value is longer than the amount of space that has been allocated to the heap, an overflow condition occurs. This vulnerability could be exploited by an attacker to achieve remote code execution on vulnerable systems using a specially crafted OID value.”
The second buffer overflow is nearly identical, but occurs when the function is parsing the IssuerPolicy PolicyMappings extension. The third vulnerability is an integer overflow that could be used to leak sensitive information from vulnerable systems.
Aleksandar Nikolic of Cisco’s Talos team, who discovered the vulnerabilities, reported them to the maintainers of MatrixSSL. There is a new release, version 3.9.3, which fixes the flaws.
“Many of the embedded systems potentially affected by these vulnerabilities lack modern heap exploitation mitigations which may make it easier to successfully exploit them. As some of these vulnerabilities can be leveraged by an attacker to obtain remote code execution on affected systems, it is recommended that the security update be applied as quickly as possible,” Cisco’s advisory says.