CVE-2023-45199

Vulnerability

Mbed TLS versions 3.2.0 through 3.4.x (prior to 3.5) contain a heap buffer overflow vulnerability in the TLS handshake parsing when ECDH or FFDH public keys are processed. For TLS 1.3, any client or server configured with signature-based authentication is affected; an unauthenticated peer can send an overly long ECDH or FFDH public key (up to 65535 bytes) into a buffer that is shorter, causing overflow. For TLS 1.2, servers with MBEDTLS_USE_PSA_CRYPTO enabled and using ECDH cipher suites with signatures are vulnerable, where up to 255 bytes are copied into a heap buffer sized for a valid public key that is shorter unless RSA or FFDH (≥2048 bits) is also enabled. Clients and builds without MBEDTLS_USE_PSA_CRYPTO are not affected in TLS 1.2 [1].

Exploitation

An attacker requires only network access to send a malicious TLS handshake message containing an overly long ECDH or FFDH public key. No authentication or prior knowledge is needed; the attacker as an unauthenticated peer can trigger the overflow during the handshake. The attack does not require user interaction and can be performed remotely [1].

Impact

Successful exploitation results in a heap buffer overflow with attacker-controlled data. This can often be escalated to arbitrary code execution, giving the attacker full control of the affected system. The severity is rated HIGH [1].

Mitigation

The vulnerability is fixed in Mbed TLS version 3.5.0, released on 5 October 2023. Users should upgrade to this version immediately. As a workaround, the default configuration is not affected; for TLS 1.2, enabling support for RSA or FFDH with keys of at least 2048 bits alongside ECDH mitigates the TLS 1.2 variant, but TLS 1.3 remains vulnerable in that case. Mbed TLS 2.28 is not affected [1].