CVE-2024-45157Incorrect Behavior Order in ARM Mbed TLS

CWE-696Incorrect Behavior Order6 documents6 sources
Severity
5.1MEDIUMNVD
EPSS
0.2%
top 62.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
ARM Mbed TLS
Timeline
PublishedSep 5
Latest updateNov 12

Description

An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which the user-selected algorithm is not used. Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 1.4 | Impact: 3.6

Affected Packages1 packages

NVDarm/mbed_tls2.26.02.28.9+1

🔴Vulnerability Details

3
OSV
CVE-2024-45157: An issue was discovered in Mbed TLS before 22024-09-05
CVEList
CVE-2024-45157: An issue was discovered in Mbed TLS before 22024-09-05
GHSA
GHSA-cvp8-hm87-hr8x: An issue was discovered in Mbed TLS before 22024-09-05

📋Vendor Advisories

2
Microsoft
CVE-2024-45157: NIST NVD Details: https://nvd2024-11-12
Debian
CVE-2024-45157: mbedtls - An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which...2024
CVE-2024-45157 — Incorrect Behavior Order in ARM | cvebase