CVE-2024-45158 in mbed TLSinfo

Summary

by MITRE • 09/05/2024

An issue was discovered in Mbed TLS 3.6 before 3.6.1. A stack buffer overflow in mbedtls_ecdsa_der_to_raw() and mbedtls_ecdsa_raw_to_der() can occur when the bits parameter is larger than the largest supported curve. In some configurations with PSA disabled, all values of bits are affected. (This never happens in internal library calls, but can affect applications that call these functions directly.)

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 06/06/2026

The vulnerability identified as CVE-2024-45158 represents a critical stack buffer overflow in the Mbed TLS cryptographic library version 3.6.0 and earlier. This flaw manifests within the elliptic curve digital signature algorithm implementation, specifically affecting the mbedtls_ecdsa_der_to_raw() and mbedtls_ecdsa_raw_to_der() functions. The issue arises when the bits parameter exceeds the maximum supported curve size, creating a condition where memory allocation does not properly account for the input parameters. The vulnerability is particularly concerning because it can be exploited by applications that directly invoke these functions, as opposed to being limited to internal library operations.

The technical root cause of this vulnerability lies in inadequate input validation and buffer boundary checking within the elliptic curve signature conversion functions. When applications pass curve parameters that exceed supported limits, the functions fail to properly validate the bits parameter against the maximum curve size, leading to memory corruption through stack buffer overflow. This type of vulnerability falls under CWE-121, stack-based buffer overflow, and represents a classic example of improper input validation in cryptographic libraries. The flaw is exacerbated by the fact that certain configurations with PSA (Platform Security Architecture) disabled make all values of bits susceptible to this condition, expanding the attack surface significantly.

The operational impact of CVE-2024-45158 extends beyond simple memory corruption, as it can potentially enable remote code execution or denial of service attacks in applications that rely on Mbed TLS for cryptographic operations. Systems utilizing affected versions of Mbed TLS for SSL/TLS implementations, certificate validation, or digital signature processing are at risk of being compromised. Attackers could exploit this vulnerability by crafting malicious cryptographic parameters that trigger the buffer overflow condition, potentially allowing them to overwrite adjacent stack memory or manipulate program execution flow. This vulnerability directly aligns with ATT&CK technique T1552.001 for unsecured credentials and T1059.001 for command and script injection, as it can be leveraged to gain unauthorized access to systems through cryptographic manipulation.

Organizations utilizing Mbed TLS in their security infrastructure must prioritize immediate remediation of this vulnerability through updating to version 3.6.1 or later, which includes proper bounds checking and input validation for the affected functions. System administrators should conduct thorough vulnerability assessments to identify all applications that directly call the vulnerable mbedtls_ecdsa_der_to_raw() and mbedtls_ecdsa_raw_to_der() functions, as these may be exposed to the attack vector. Additionally, implementing runtime protections such as stack canaries and address space layout randomization can provide additional defense in depth. The fix implemented in version 3.6.1 addresses the core issue by introducing proper parameter validation that ensures the bits parameter does not exceed the maximum supported curve size, preventing the buffer overflow condition from occurring. Security teams should also monitor for any potential exploitation attempts targeting this vulnerability, particularly in environments where applications directly interface with the Mbed TLS cryptographic functions without proper parameter validation layers.

Responsible

MITRE

Reservation

08/22/2024

Disclosure

09/05/2024

Moderation

accepted

CPE

ready

EPSS

0.00677

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!