External risk intelligence

Mbed TLS Stack Buffer Overflow in ECDSA Parsing

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2024-45158

A stack buffer overflow exists in Mbed TLS cryptography library functions that parse ECDSA data. If an application directly uses these functions and has specific configurations, a reachable vulnerability could lead to crashes or code execution. This impacts data protection and system integrity. Uncertainty exists regar

1Halo Surface Signal

Buffer Overflow

Trustedfirmware Mbed Tls

3.6.0

External exposure likelihood

Halo Surface Signal score for CVE-2024-45158

Mbed TLS is a software library meant to be embedded into other applications, not a standalone network service. This vulnerability specifically affects internal library functions that are not typically exposed to the public internet by design, and require custom implementation by a developer to be reachable.

PCI scan relevance

PCI Relevance for CVE-2024-45158

Yes

CVE-2024-45158 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This Mbed TLS vulnerability allowing for stack buffer overflows is considered a critical remote code execution risk, likely causing an ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability has been identified in Mbed TLS, a widely used cryptography library. This issue could allow for unauthorized access and manipulation of sensitive data if exploited, impacting the integrity and confidentiality of systems that utilize this library without proper configuration. The primary concern is to verify if our environment is affected by this vulnerability.

  • Stack overflow in cryptography library functions.
  • Affects data protection and system integrity.
  • Confirm relevance and identify exposure.

Attack Path

How an attacker could exploit the issue

An attacker could reach this vulnerability by making a specially crafted request to an application that directly uses the affected Mbed TLS functions, provided that PSA cryptography is disabled. This could allow the attacker to crash the application or potentially execute their own code.

  • No authentication required to reach.
  • Triggered by malformed cryptographic parameters.
  • Enables remote code execution.

Live Threat

Current exploitation, exposure, and threat context

A stack buffer overflow could occur in specific Mbed TLS functions when processing Elliptic Curve Digital Signature Algorithm (ECDSA) data with an unsupported bit size. This may affect applications that directly call these functions, when configured without PSA support.

  • Affects cryptographic operations.
  • Exposure via direct function calls.
  • Could lead to denial of service.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams responsible for applications that directly call the `mbedtls_ecdsa_der_to_raw()` or `mbedtls_ecdsa_raw_to_der()` functions, particularly those with PSA disabled, must urgently assess their exposure. The first step is to identify all instances of the affected Mbed TLS version, confirm their network reachability and business criticality, and then locate the accountable application owner to plan remediation.

  • Application owners should address this issue.
  • Verify direct function calls and PSA configuration.
  • Plan remediation based on confirmed exposure.

Frequently asked questions

What is Mbed TLS and what is it used for?

Mbed TLS is a cryptography library used in various applications, especially those with embedded systems. It provides functions for secure communication and data protection, commonly found in networking devices and software that requires encryption.

What type of vulnerability is CVE-2024-45158 in Mbed TLS?

CVE-2024-45158 is a stack buffer overflow vulnerability. This occurs when the Mbed TLS functions `mbedtls_ecdsa_der_to_raw()` or `mbedtls_ecdsa_raw_to_der()` are given a `bits` parameter that is larger than the supported curve sizes, potentially leading to crashes or code execution.

How can CVE-2024-45158 be triggered?

This vulnerability can be triggered if an application directly calls the affected Mbed TLS functions with a `bits` parameter exceeding supported curve sizes, specifically when the TrustedFirmware PSA (Platform Security Architecture) cryptography is disabled. Internal library calls are not affected.

Who needs to care about the Mbed TLS vulnerability CVE-2024-45158?

Developers and teams running applications that directly use the vulnerable Mbed TLS functions, especially when PSA is disabled, should care. The Halo Surface Signal indicates this is very unlikely to be internet-facing, suggesting the risk is primarily within internally developed applications.

What are the first steps for dealing with CVE-2024-45158?

First, identify all applications using Mbed TLS version 3.6.0. Then, check if these applications directly call the `mbedtls_ecdsa_der_to_raw()` or `mbedtls_ecdsa_raw_to_der()` functions and if PSA cryptography is disabled. If so, application owners need to plan for remediation.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified