Security Advisory 2021-02-02-2 - wolfSSL heap buffer overflow in RsaPad_PSS (CVE-2020-36177)

It's still work in progress, there is not that much information about it available yet (even wolfSSL itself is blank), but according to the very high CVSS score of 9.8 (10 is most severe) it's likely, that this issue has RCE potential.

In wolfSSL prior to version 4.6.0 there exists serious security issue. This wolfSSL library is provided as libwolfssl24 package in OpenWrt and shipped by default in snapshots since August 27th 2020. It's NOT shipped by default in latest stable OpenWrt release 19.07.

Full advisory can be found on dedicated wiki page.

Package upgrade to fixed libwolfssl24 version 4.6.0

  1. You need to update the affected libwolfssl24 package you're using with the command below.

    opkg update; opkg upgrade libwolfssl24

  2. Then verify, that you're running fixed version.

    opkg list-installed libwolfssl24

    The above command should output following for stable OpenWrt 19.07 release and snapshot builds:

    libwolfssl24 - 4.6.0-stable-1