CVE-2021-37155 – This vulnerability in wolfSSL allows attackers ... (How to Fix)

Q: What is the severity of CVE-2021-37155?

CVE-2021-37155 has a CVSS score of 9.8 (CRITICAL). This vulnerability in wolfSSL allows attackers to bypass OCSP (Online Certificate Status Protocol) validation by providing mismatched serial numbers between requests and responses. This could enable man-in-the-middle attacks where revoked certificates appear valid. Affects systems using wolfSSL 4.6.x through 4.7.x for TLS/SSL connections with OCSP checking enabled.

📋 TL;DR

This vulnerability in wolfSSL allows attackers to bypass OCSP (Online Certificate Status Protocol) validation by providing mismatched serial numbers between requests and responses. This could enable man-in-the-middle attacks where revoked certificates appear valid. Affects systems using wolfSSL 4.6.x through 4.7.x for TLS/SSL connections with OCSP checking enabled.

💻 Affected Systems

Products:

wolfSSL

Versions: 4.6.x through 4.7.x (before 4.8.0)

Operating Systems: All platforms running wolfSSL

Default Config Vulnerable: ✅ No

Notes: Only affects systems with OCSP validation enabled; default configurations may not use OCSP.

📦 What is this software?

Wolfssl by Wolfssl

View all CVEs affecting Wolfssl →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can impersonate legitimate servers using revoked certificates, intercepting and manipulating encrypted traffic in man-in-the-middle attacks.

🟠

Likely Case

Attackers bypass certificate revocation checks, allowing use of compromised certificates that should be rejected.

🟢

If Mitigated

If OCSP is disabled or alternative revocation methods are used, impact is limited; proper network segmentation reduces attack surface.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires man-in-the-middle position and ability to manipulate OCSP traffic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.8.0 and later

Vendor Advisory: https://github.com/wolfSSL/wolfssl/releases/tag/v4.8.0-stable

Restart Required: Yes

Instructions:

1. Download wolfSSL 4.8.0 or later from official repository. 2. Replace vulnerable version. 3. Recompile applications using wolfSSL. 4. Restart affected services.

🔧 Temporary Workarounds

Disable OCSP validation

all

Temporarily disable OCSP checking in wolfSSL configuration

Configure wolfSSL with --disable-ocsp or set appropriate compile-time flags

Use alternative revocation methods

all

Switch to CRL (Certificate Revocation List) checking instead of OCSP

Configure wolfSSL to use CRL checking via appropriate API calls

🧯 If You Can't Patch

Implement network segmentation to limit exposure of vulnerable systems
Deploy network monitoring for unusual certificate validation patterns

🔍 How to Verify

Check if Vulnerable:

Check wolfSSL version: wolfssl_version() returns version string; compare against affected range 4.6.0-4.7.x

Check Version:

wolfssl_version() or check library headers

Verify Fix Applied:

Verify version is 4.8.0 or higher and test OCSP validation with mismatched serial numbers

📡 Detection & Monitoring

Log Indicators:

Failed OCSP validations with mismatched serial numbers
Unexpected successful certificate validations

Network Indicators:

Unusual OCSP request/response patterns
Traffic interception attempts

SIEM Query:

Search for wolfSSL version strings 4.6.* or 4.7.* in system logs

📊 Metadata

CVE ID: CVE-2021-37155

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: July 21, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/wolfSSL/wolfssl/pull/3990 Patch,Third Party Advisory
https://github.com/wolfSSL/wolfssl/releases/tag/v4.8.0-stable Release Notes,Third Party Advisory
https://github.com/wolfSSL/wolfssl/pull/3990 Patch,Third Party Advisory
https://github.com/wolfSSL/wolfssl/releases/tag/v4.8.0-stable Release Notes,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON