External risk intelligence

Mbed TLS Buffer Underrun in Opaque Key Pair Writing

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2024-49195

Mbed TLS has a buffer underrun vulnerability in the `pkwrite` function affecting versions 3.5.x through 3.6.x before 3.6.2 when writing opaque key pairs, potentially leading to denial-of-service or data manipulation.

1Halo Surface Signal

Out-of-bounds Write

Trustedfirmware Mbed Tls

3.5.0 to before 3.6.2

External exposure likelihood

Halo Surface Signal score for CVE-2024-49195

Mbed TLS is a software library (SDK) embedded within other applications, firmware, or hardware devices to provide cryptographic functionality. It is not an internet-facing service, appliance, or gateway itself; exposure depends entirely on the implementation by a third-party developer.

PCI scan relevance

PCI Relevance for CVE-2024-49195

Yes

CVE-2024-49195 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability is PCI relevant as it could allow remote code execution, leading to a scan failure. Attackers could exploit this to compromise sensitive systems.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in the Mbed TLS cryptographic library, specifically related to how it handles opaque key pairs. This library is widely used to secure communications and data across various embedded systems and applications. The vulnerability could allow for significant compromise if exploited, necessitating a review of its presence in our environment.

  • A flaw exists in key pair handling.
  • Critical library used in many systems.
  • Confirm relevance and identify exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted data to a network-exposed service that uses a vulnerable version of Mbed TLS. This could lead to a buffer underrun, potentially allowing for significant impact on confidentiality, integrity, and availability.

  • Requires network access.
  • Triggered by writing opaque key pairs.
  • Risk of data corruption or crashes.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to cause a buffer underrun when writing an opaque key pair, potentially leading to denial-of-service or, under certain conditions, information disclosure or manipulation.

  • Compromised key pair writing.
  • Malicious data sent to the service.
  • Potential denial of service or data leakage.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in Mbed TLS, affecting versions 3.5.x through 3.6.x before 3.6.2, resides within the `pkwrite` function when handling opaque key pairs. Owners of applications, firmware, or devices that embed this library must first identify all instances of the vulnerable software, determine their network exposure and business criticality, and then locate the accountable parties for remediation. Planning for mitigation should follow, considering the assessed risk.

  • App or firmware owners should lead.
  • Verify Mbed TLS library usage and reachability.
  • Plan remediation based on asset criticality.

Frequently asked questions

What is Mbed TLS and its function in embedded systems?

Mbed TLS is a cryptographic library that provides essential functions for securing communications and data. It is commonly embedded in applications, firmware, or hardware devices, particularly within embedded systems.

How does CVE-2024-49195 introduce a security risk?

CVE-2024-49195 is a buffer underrun vulnerability present in Mbed TLS's `pkwrite` function. This weakness can be triggered when writing opaque key pairs, potentially leading to data corruption or service interruptions.

What are the conditions for exploiting the CVE-2024-49195 vulnerability?

Exploitation requires an attacker to send specially crafted data to a network-exposed service that utilizes a vulnerable version of Mbed TLS, specifically impacting the opaque key pair writing process.

What is the potential impact of exploiting CVE-2024-49195 on system security?

Exploiting this vulnerability can lead to a buffer underrun, potentially resulting in denial-of-service conditions, information disclosure, or data manipulation. The Halo Surface Signal indicates a very unlikely risk due to Mbed TLS being an embedded library.

What steps should be taken to address the Mbed TLS vulnerability?

Owners of applications, firmware, or devices using Mbed TLS versions 3.5.x through 3.6.x before 3.6.2 must identify all instances of the vulnerable software. It is crucial to determine network exposure and business criticality, then plan remediation efforts based on the assessed risk.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified