CVE-2017-18187 — Integer Overflow or Wraparound in ARM Mbed TLS

CWE-190 — Integer Overflow or Wraparound10 documents7 sources

Severity

9.8CRITICALNVD

EPSS

0.6%

top 31.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mbed Mbedtls ARM Mbed TLS Debian Linux

Timeline

PublishedFeb 14

Latest updateMay 13

Description

In ARM mbed TLS before 2.7.0, there is a bounds-check bypass through an integer overflow in PSK identity parsing in the ssl_parse_client_psk_identity() function in library/ssl_srv.c.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDarm/mbed_tls< 2.7.0

▶Debianmbed/mbedtls< 2.7.0-2+3

▶Ubuntumbed/mbedtls< 2.2.1-2ubuntu0.3

Also affects: Debian Linux 8.0, 9.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-3g9w-ghrc-hc72: In ARM mbed TLS before 2↗2022-05-13

▶

OSV

mbedtls vulnerabilities↗2020-02-05

▶

CVEList

CVE-2017-18187: In ARM mbed TLS before 2↗2018-02-14

▶

OSV

CVE-2017-18187: In ARM mbed TLS before 2↗2018-02-14

▶

📋Vendor Advisories

Ubuntu

ARM mbed TLS vulnerabilities↗2020-02-05

▶

Debian

CVE-2017-18187: mbedtls - In ARM mbed TLS before 2.7.0, there is a bounds-check bypass through an integer ...↗2017

▶

💬Community

Bugzilla

CVE-2017-18187 mbedtls: Bounds-check bypass via integer overflow in ssl_srv.c:ssl_parse_client_psk_identity()↗2018-02-15

▶

Bugzilla

CVE-2017-18187 CVE-2018-0487 CVE-2018-0488 mbedtls: various flaws [epel-all]↗2018-02-13

▶

Bugzilla

CVE-2017-18187 CVE-2018-0487 CVE-2018-0488 mbedtls: various flaws [fedora-all]↗2018-02-13

▶