Bug 1216078 (CVE-2023-45199)

Summary: VUL-0: CVE-2023-45199: mbedtls: buffer overflow in TLS handshake parsing with ECDH
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Martin Pluskal <mpluskal>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, otto.hollmann, pmonrealgonzalez
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/381070/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-10-10 06:49:49 UTC 
Title: Buffer overflow in TLS handshake parsing with ECDH
CVE: CVE-2023-45199
Date: 05 October 2023
Affects: Mbed TLS 3.2.0 and above
Impact: A remote attacker may cause arbitrary code execution.
Severity: HIGH
Credit: OSS-Fuzz


Vulnerability:
A TLS 1.3 client or server configured with support for signature-based authentication (i.e. any non-PSK key exchange) is vulnerable to a heap buffer overflow. The server copies up to 65535 bytes in a buffer that is shorter. An unauthenticated malicious peer can overflow the TLS handshake structure by sending an overly long ECDH or FFDH public key.

A TLS 1.2 server configured with MBEDTLS_USE_PSA_CRYPTO and with support for a cipher suite using ECDH and a signature is vulnerable to a heap buffer overflow. An unauthenticated malicious peer can overflow the TLS handshake structure by sending an overly long ECDH public key. The server copies up to 255 bytes into a heap buffer that is sized for a valid public key, and thus shorter unless RSA or FFDH is enabled in addition to ECDH. TLS 1.2 clients, and builds without MBEDTLS_USE_PSA_CRYPTO are not affected.


References:
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2023-10-2/
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45199
Comment 2 OBSbugzilla Bot 2023-10-11 12:35:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1216078) was mentioned in
https://build.opensuse.org/request/show/1116911 Factory / mbedtls