CVE-2017-18187

Vulnerability

In ARM mbed TLS versions before 2.7.0, the function ssl_parse_client_psk_identity() in library/ssl_srv.c contains an integer overflow vulnerability when parsing PSK identity length. The check if( *p + 2 > end ) and later if( n < 1 || n > 65535 || *p + n > end ) use pointer arithmetic with *p (unsigned char pointer). If *p is near the end of the buffer, adding a large value can wrap around, bypassing the bounds check and allowing the subsequent read to access memory beyond the buffer [1][3]. This affects all versions prior to 2.7.0 [2].

Exploitation

An attacker must be in a position to send a crafted TLS ClientKeyExchange message during a handshake where PSK (Pre-Shared Key) ciphersuite is used. No authentication is required; the attacker only needs network connectivity to the server. By providing a specially crafted PSK identity length that causes an integer overflow in the pointer arithmetic, the bounds check is bypassed, and the server reads an attacker-controlled length of data from the buffer, leading to an out-of-bounds read [3].

Impact

Successful exploitation can lead to a buffer over-read, potentially disclosing sensitive information from the server's memory. In worst-case scenarios, as noted in the Gentoo security advisory, this could lead to arbitrary code execution or denial of service [2]. The exact impact depends on the adjacent memory contents and the server's handling of the parsed identity.

Mitigation

The vulnerability is fixed in mbed TLS version 2.7.0. The fix changes the boundary checks to use subtraction instead of addition, preventing integer overflow: if( end - *p < 2 ) and if( n < 1 || n > 65535 || n > (size_t)( end - *p ) ) [3]. Users should upgrade to version 2.7.0 or later. Gentoo recommends upgrading to version 2.7.2 [2]. No workaround is known.