External risk intelligence

Mbed TLS Stack Buffer Over-read Information Disclosure and Denial of Service Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2024-30166

A vulnerability in the Mbed TLS cryptographic library could allow a malicious client to cause information disclosure or a denial of service. This occurs when a TLS 1.3 server, using affected versions of the library, processes a specially crafted TLS 3.1 ClientHello message. The reader should care because this library i

4Halo Surface Signal

Information Disclosure

Trustedfirmware Mbed Tls

3.3.0 to before 3.6.0

External exposure likelihood

Halo Surface Signal score for CVE-2024-30166

Mbed TLS is a widely used cryptographic library integrated into numerous network-facing applications, TLS servers, and embedded gateways. Because it handles TLS handshake processing, vulnerabilities in its protocol implementation are commonly exposed to the public internet through the services that utilize the library to terminate encrypted connections.

PCI scan relevance

PCI Relevance for CVE-2024-30166

Yes

CVE-2024-30166 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

A stack buffer over-read in Mbed TLS servers processing a TLS 3.1 ClientHello can lead to information disclosure or denial of service. This is relevant for PCI scans due to its critical severity and network attack vector.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a vulnerability in the Mbed TLS cryptographic library. A flaw in how it handles certain TLS 1.3 connection requests could allow an attacker to access sensitive information or disrupt service. The primary concern is to confirm if this library is in use within our environment and if so, to what extent.

Malicious clients may expose information or cause denial of service.
This library is common in network-facing applications.
Confirm relevance and exposure of this library.

Attack Path

How an attacker could exploit the issue

A malicious client can target a TLS 1.3 server using the Mbed TLS library. By sending a specially crafted TLS 3.1 ClientHello message, the client can trigger a flaw in the server's protocol handling. This flaw can then lead to the disclosure of sensitive information or a denial of service.

Network access required.
Malicious TLS ClientHello triggers vulnerability.
Information disclosure or denial of service.

Live Threat

Current exploitation, exposure, and threat context

A malicious client could cause a denial of service or disclose up to 256 bytes of stack memory by sending a specially crafted TLS 1.3 ClientHello message to a vulnerable TLS 1.3 server. This vulnerability affects servers using Mbed TLS versions 3.3.0 through 3.5.2 when operating as a TLS 1.3 server.

Server stack memory could be exposed.
Malicious client sends malformed handshake.
Service disruption or minor data leak.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Mbed TLS affects systems implementing TLS 1.3 servers, potentially leading to information disclosure or denial of service. Ownership will likely fall to teams managing the applications or services that integrate this library, such as platform, infrastructure, or network security teams. The immediate first step is to identify all deployments of the affected Mbed TLS versions, assess their exposure and criticality, and then coordinate remediation efforts with the accountable owners.

Track all Mbed TLS deployments and scope.
Verify exposure and business criticality.
Plan remediation based on risk.

Frequently asked questions

What is the Mbed TLS vulnerability (CVE-2024-30166) and how does it affect TLS 1.3 servers?

CVE-2024-30166 is a critical vulnerability in Mbed TLS versions 3.3.0 through 3.5.2. A malicious client can exploit a stack buffer over-read in the TLS 1.3 server by sending a crafted TLS 3.1 ClientHello message. This can lead to information disclosure or a denial of service.

What is the weakness class and trigger path for CVE-2024-30166?

The weakness identified is CWE-121, which pertains to Stack-based buffer overflow. The trigger path involves a malicious client sending a malformed TLS 3.1 ClientHello message to a TLS 1.3 server utilizing the vulnerable Mbed TLS versions, specifically targeting the protocol handling during the TLS handshake.

How does a malicious client exploit this vulnerability and what is the scope of impact?

A malicious client can exploit this vulnerability by sending a specially crafted TLS 3.1 ClientHello message. This triggers a stack buffer over-read in the Mbed TLS library when used in a TLS 1.3 server. The impact can be information disclosure, potentially revealing up to 256 bytes of stack memory, or a denial of service, disrupting the server's availability.

What is the relevance of this vulnerability given Mbed TLS's widespread use in network-facing applications?

Mbed TLS is a widely adopted cryptographic library integrated into many network-facing applications, TLS servers, and embedded systems. Vulnerabilities in its TLS handshake processing, like CVE-2024-30166, are exposed to the public internet through these services. The Halo Surface Signal rates this as 'Likely' due to the broad integration of Mbed TLS in services that terminate encrypted connections.

What are the practical steps for addressing the Mbed TLS vulnerability?

To address this vulnerability, organizations must first identify all instances where Mbed TLS versions 3.3.0 through 3.5.2 are deployed as TLS 1.3 servers. Subsequently, assess the exposure and business criticality of these deployments. Finally, coordinate remediation efforts, likely involving updating the library to a non-vulnerable version, with the teams responsible for the affected applications or services.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.