External risk intelligence

Mbed TLS DTLS Heap Buffer Overflow and Over-read Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2022-46393

Mbed TLS, a network security library, has a heap-based buffer overflow and over-read vulnerability in its DTLS implementation when specific configurations are enabled. This could lead to denial-of-service or potentially further compromise if reachable by an attacker. Readers should care because it affects the integrity

3Halo Surface Signal

Out-of-bounds Read

Arm Mbed Tls

before 2.28.23.0.0 to before 3.3.03637

External exposure likelihood

Halo Surface Signal score for CVE-2022-46393

Mbed TLS is a software library integrated into various products rather than a standalone service. While it is frequently used to implement network protocols like DTLS in internet-facing applications and devices, the exposure depends entirely on the specific product implementation, and the library itself is not inherently a public-facing service.

PCI scan relevance

PCI Relevance for CVE-2022-46393

Yes

CVE-2022-46393 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in Mbed TLS involves a heap-based buffer overflow and over-read, which could lead to remote code execution, a critical issue for PCI compliance.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a security vulnerability in the Mbed TLS software library, which is used to implement network security protocols. The issue could allow for unauthorized access and manipulation of data if specific conditions are met.

  • Flaw affects network security library code.
  • Matters for products using specific security features.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted data over a network to a system using a vulnerable version of Mbed TLS with DTLS enabled and specific configuration options active. This can lead to a buffer overflow or buffer over-read within the DTLS connection processing, potentially allowing for a denial-of-service or, under certain conditions, further compromise.

  • Remote network access required.
  • Triggered by malformed DTLS data.
  • Risks include data corruption and system crash.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to cause a denial-of-service condition, potentially impacting the availability of the affected service. The specific impact depends on the configuration and whether the DTLS protocol with Connection IDs is enabled.

  • Network service availability.
  • Via crafted DTLS packets.
  • Service disruption or instability.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Identifying responsible teams begins with pinpointing Mbed TLS installations, assessing their reachability and criticality, and then locating the accountable owner to plan remediation. The first practical step is to determine the scope of affected systems and prioritize based on risk.

  • Own the issue: Application or platform owners.
  • Verify first: System reachability and business impact.
  • Action: Plan risk-based remediation.

Frequently asked questions

What is Mbed TLS and what is it used for?

Mbed TLS is a software library that helps implement network security protocols, commonly used in various products to secure communication. It's a crucial component for ensuring the confidentiality and integrity of data transmitted over networks.

What is the weakness in Mbed TLS related to CVE-2022-46393?

This vulnerability is a heap-based buffer overflow and buffer over-read in the DTLS protocol implementation of Mbed TLS. It occurs when specific configurations, like enabling DTLS Connection IDs with particular length settings, are active.

How could an attacker trigger this Mbed TLS vulnerability?

An attacker can trigger this bug by sending specially crafted, malformed data over a network to a system using a vulnerable version of Mbed TLS. The vulnerability is not triggered if DTLS Connection IDs are not enabled or if the configuration does not meet the specific length criteria mentioned in the advisory.

Who should be concerned about this Mbed TLS vulnerability?

Organizations using Mbed TLS in products that are accessible from the internet should be concerned, as this vulnerability could potentially impact network service availability.

What is the first step to address this Mbed TLS issue?

The initial step is to identify all systems that use Mbed TLS and determine if they are running a vulnerable version. Prioritizing systems based on their network accessibility and business criticality is essential for planning remediation efforts.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified