#VU96647 Insufficient Technical Documentation in mbed TLS - CVE-2024-45157

Cybersecurity Help s.r.o.

Published: 2024-08-30

Vulnerability identifier: #VU96647

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-45157

CWE-ID: CWE-1059

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
mbed TLS
Universal components / Libraries / Libraries used by multiple products

Vendor: ARM

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an error in product documentation. Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

mbed TLS: 2.0.0, 2.1.0 - 2.19.1, 2.2.0 - 2.28.8, 2.3.0, 2.4.0 - 2.4.2, 2.5.0 - 2.5.1, 2.6.0 - 2.6.1, 2.7.0 - 2.7.19, 2.8.0, 2.9.0, 3.0.0, 3.1.0, 3.2.0, 3.2.1, 3.3.0, 3.4.0, 3.4.1, 3.5.0 - 3.5.2, 3.6.0

External links
https://github.com/ARMmbed/mbedtls/releases/tag/mbedtls-2.28.9
https://github.com/ARMmbed/mbedtls/releases/tag/mbedtls-3.6.1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Fedora 41 update for mbedtls3.6

Fedora 41 update for mbedtls

Multiple vulnerabilities in Mbed TLS