CVE-2024-45157 in mbed TLS
Summary
by MITRE • 09/05/2024
An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which the user-selected algorithm is not used. Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/06/2026
The vulnerability identified as CVE-2024-45157 affects Mbed TLS cryptographic library versions prior to 2.28.9 and 3.6.1, presenting a significant weakness in the library's random number generation implementation. This issue specifically relates to the PSA (Platform Security Architecture) subsystem's handling of HMAC Deterministic Random Bit Generation, where the expected behavior differs from the actual implementation. The flaw manifests when developers configure the library to use HMAC_DRBG as their random number generator, but the system fails to honor this configuration under normal operating conditions.
The technical root cause of this vulnerability stems from a misconfiguration in how Mbed TLS processes user-selected cryptographic algorithms within its PSA subsystem. When MBEDTLS_PSA_HMAC_DRBG_MD_TYPE is enabled, the library does not actually utilize HMAC_DRBG as intended, despite the configuration suggesting otherwise. This behavior deviates from the documented expectations and creates a scenario where the cryptographic system operates with less secure random number generation than specified by the user. The vulnerability specifically occurs when both MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled, which represents a narrow but critical operational condition that can lead to unexpected security outcomes.
The operational impact of this vulnerability extends beyond simple configuration misalignment, as it fundamentally undermines the security assurances that applications built on Mbed TLS expect to receive from their cryptographic implementations. When applications configure HMAC_DRBG as their preferred random number generator, they rely on the cryptographic strength and predictability that this algorithm provides, particularly for generating session keys, nonces, and other security-critical values. The failure to properly implement the selected algorithm means that even systems designed with strong cryptographic requirements may be operating with weaker entropy sources, potentially making them vulnerable to attacks that exploit predictable or insufficiently random values.
This vulnerability aligns with CWE-254, which addresses weaknesses in cryptographic implementations, and represents a specific instance of improper implementation of cryptographic protocols. From an ATT&CK framework perspective, this issue could be leveraged as part of a broader attack chain under techniques such as T1583.001 (Preparation: Account Access) and T1078 (Valid Accounts), where adversaries might exploit predictable random number generation to compromise key management or session tokens. The weakness creates opportunities for attackers to perform cryptographic attacks that rely on predictable values, potentially leading to session hijacking, key recovery, or other advanced persistent threats. Organizations using affected Mbed TLS versions should consider this vulnerability as a potential entry point for sophisticated attacks that exploit the underlying cryptographic implementation weaknesses.
The recommended mitigation strategy involves upgrading to Mbed TLS versions 2.28.9 or 3.6.1, which contain the necessary patches to ensure that user-selected algorithms are properly implemented according to their configuration. Additionally, system administrators should conduct comprehensive audits of their cryptographic configurations to identify any applications that may be relying on the incorrect behavior, and implement proper monitoring to detect potential deviations from expected cryptographic performance. Security teams should also review their cryptographic libraries and update them regularly to prevent similar issues from arising in future deployments.