An authentication bypass vulnerability in wolfSSL allows for the acceptance of un-negotiated Raw Public Keys, undermining the integrity of TLS certificate validation.

This vulnerability occurs when the wolfSSL library fails to properly enforce X.509 certificate validation, erroneously accepting un-negotiated Raw Public Keys (as defined in RFC 7250). This allows an attacker to present an unauthorized key, effectively bypassing standard identity verification.

The CVSS score of 8.2 reflects the high risk posed by this authentication bypass. By successfully masquerading as a legitimate entity, an attacker could perform man-in-the-middle attacks, intercepting and decrypting sensitive traffic or injecting malicious data into secure sessions, leading to data breaches.

Immediate Action: Update the wolfSSL library to the latest version provided by the vendor to ensure proper certificate validation logic is restored.

Proactive Monitoring: Review application logs for handshake errors or unexpected public key presentations during TLS negotiation.

Compensating Controls: Utilize strict certificate pinning or secondary authentication mechanisms to verify identities if immediate library updates are not feasible.

Public Exploit Available: false

Organizations using wolfSSL for secure communications must apply the provided security updates immediately. Ensuring that TLS identity verification functions correctly is paramount to maintaining the confidentiality and integrity of network traffic.