CVE-2024-49195

Vulnerability

A buffer underrun exists in mbedtls_pk_write_key_der() and mbedtls_pk_write_key_pem() when the output buffer is too small and the compile-time option MBEDTLS_USE_PSA_CRYPTO is enabled with an opaque key (MBEDTLS_PK_OPAQUE). Three specific cases trigger the issue: writing an elliptic curve key pair with mbedtls_pk_write_key_der() when MBEDTLS_ECP_C is enabled and the buffer is smaller than the uncompressed public key; writing an RSA key pair with mbedtls_pk_write_key_der() when the buffer is smaller than the actual output; and writing an RSA key pair with mbedtls_pk_write_key_pem() if MBEDTLS_MPI_MAX_SIZE <= 420. The vulnerability affects Mbed TLS versions 3.5.0 through 3.6.1 inclusive [1].

Exploitation

An attacker must cause an application to call the affected functions with an output buffer that is too small for the key representation. The advisory notes that the output is first written safely into an intermediate buffer, then copied to the destination buffer without a size check, leading to a buffer underrun. No authentication or network access is required; the attacker needs to control the buffer size passed to the API, typically through a crafted input or configuration [1].

Impact

Successful exploitation results in a buffer underrun of up to the size of the key representation. Depending on the memory location of the application buffer, this can cause stack or heap corruption, potentially leading to denial of service or arbitrary code execution [1].

Mitigation

Users should upgrade to Mbed TLS 3.6.2, which fixes the vulnerability. As a workaround, callers can ensure the output buffer is large enough, for example by using PSA_EXPORT_KEY_PAIR_MAX_SIZE. The advisory states that no unsafe calls to mbedtls_pk_write_key_der() exist within Mbed TLS itself, except when the application supplies an insufficient buffer [1].