Buffer overflow in mbedtls_x509_set_extension()

Title

Buffer overflow in mbedtls_x509_set_extension().

CVE

CVE-2024-23775

Date

09 January 2024

Affects

All versions of Mbed TLS up to and including 2.28.6 and 3.5.1

Impact

Potential DOS

Severity

Low

Credit

Jonathan Winzig (Hilscher Gesellschaft für Systemautomation mbH)

Vulnerability

When writing x509 extensions we failed to validate inputs passed in to mbedtls_x509_set_extension(), which could result in an integer overflow, causing a zero-length buffer to be allocated to hold the extension. The extension would then be copied into the buffer, causing a heap buffer overflow.

Impact

Potential segfault resulting from the buffer overflow, thus potential DOS.

Resolution

Affected users will want to upgrade to Mbed TLS 3.5.2 or 2.28.7 depending on the branch they’re currently using.

Work-around

Ensure that a length of SIZE_MAX cannot be passed into mbedtls_x509_set_extension()