CVE-2018-9989

Vulnerability

A buffer over-read vulnerability exists in the ssl_parse_server_psk_hint() function of ARM mbed TLS. The function parses the PSK identity hint from a TLS ServerKeyExchange message without proper bounds checking on the length field. This allows an attacker to trigger an arithmetic overflow in the pointer comparison, leading to a read beyond the allocated buffer. The issue affects mbed TLS versions before 2.1.11, before 2.7.2, and before 2.8.0. The fix involves adding a bounds check before reading the length ([2]) and correcting the overflow condition ([1]).

Exploitation

An attacker must be able to send a malicious TLS ServerKeyExchange message to a client that uses a PSK ciphersuite. No prior authentication is required; the attacker can act as a rogue server or perform a man-in-the-middle attack. The crafted message contains a PSK identity hint length field that, when processed, causes the pointer (*p) + len to overflow, bypassing the subsequent bounds check and allowing an out-of-bounds read.

Impact

Successful exploitation results in a denial of service (crash) of the client application. In some cases, the buffer over-read may also disclose sensitive memory contents, though the primary documented impact is a crash. The vulnerability is in the client-side parsing, so the client is the affected component.

Mitigation

Fixed in mbed TLS versions 2.1.11, 2.7.2, and 2.8.0. Users should upgrade to these versions or later. The patches are available in commits [1] and [2]. No workaround is documented; upgrading is the recommended mitigation.