MatrixSSL vulnerabilities can cause a lot of security issues as this implementation is used by a lot of Internet of Things (IOT) devices.
The MatrixSSL Vulnerabilities Proves That IOT Updates Can Be Dangerous
A common security recommendation by experts is that developers of Internet of Things appliances should use the MatrixSSL implementation of of the SSL/TLS stack which is designed for IoT devices. However the recent outbreak of several critical vulnerabilities has caused these devices to be exposed for attackers.
Thousands of devices running MatrixSSL have been indexed on Shodan, the search engine for exposed IoT appliances. Another massive number of appliances are also probably running in the homes and offices of computer users worldwide.
In the past year the researchers Florian Weimer and Hanno Böck discovered dangerous cryptography issues in the implementation. This included the ability to leak the private key.
The security expert Craig Young decided to conduct a few instrumented tests to check the severity of the problem. In a matter of minutes he was able to identify three distinct issues:
- Exploitable heap buffer overflow (CVE-2016-6890)
- Buffer over-read issue (CVE-2016-6891)
- Improper free in the x509FreeExtensions() component (CVE-2016-6892)
The results conclude that a lot of the IoT devices are vulnerable to remote attacks. The expert suggests developers to stop using MatrixSSL altogether. The implementation raises severe concerns as many of the vendors do not supply updates to resolve the security weaknesses of the devices, including the SSL implementation.