CVE-2023-43615

Vulnerability

A buffer overread vulnerability exists in Mbed TLS when processing encrypted records in null-cipher or RC4 cipher suites. The MAC calculation subtracts the MAC length from the record length without verifying that the record is large enough, causing an overread of up to SIZE_MAX bytes. This affects all versions of Mbed TLS 2.x before 2.28.5 and 3.x before 3.5.0 when the vulnerable cipher suites are enabled. The default configuration disables these weak cipher suites. Only (D)TLS 1.2 and earlier are affected; TLS 1.3, CBC, and AEAD are not affected [1].

Exploitation

An attacker must successfully complete a (D)TLS handshake using a null-cipher (e.g., TLS_xxx_WITH_NULL_hhh) or RC4 cipher suite. After the handshake, the attacker sends a malformed encrypted (or null-encrypted) record whose payload is shorter than the MAC length. This triggers the buffer overread when the receiver calculates the MAC [1].

Impact

Successful exploitation causes a buffer overread, which on many platforms results in a memory access fault (crash). On platforms without memory protection, where the address space includes memory-mapped peripherals, the read operations may lead to information disclosure [1].

Mitigation

Upgrade to Mbed TLS 2.28.5 (for the 2.x branch) or 3.5.0 (for the 3.x branch), which were released on October 5, 2023 [1]. As a workaround, ensure that null-cipher and RC4 cipher suites are not enabled in the build-time configuration; the default configuration is already safe [1].