CVE-2024-45159Improper Certificate Validation in ARM Mbed TLS

CWE-295Improper Certificate Validation6 documents6 sources
Severity
9.8CRITICALNVD
EPSS
0.6%
top 31.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mbed MbedtlsARM Mbed TLS
Timeline
PublishedSep 5
Latest updateNov 12

Description

An issue was discovered in Mbed TLS 3.x before 3.6.1. With TLS 1.3, when a server enables optional authentication of the client, if the client-provided certificate does not have appropriate values in if keyUsage or extKeyUsage extensions, then the return value of mbedtls_ssl_get_verify_result() would incorrectly have the MBEDTLS_X509_BADCERT_KEY_USAGE and MBEDTLS_X509_BADCERT_KEY_USAGE bits clear. As a result, an attacker that had a certificate valid for uses other than TLS client authentication

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDarm/mbed_tls3.2.03.6.1
Alpinembed/mbedtls< 3.6.1-r0+3

🔴Vulnerability Details

3
OSV
CVE-2024-45159: An issue was discovered in Mbed TLS 32024-09-05
GHSA
GHSA-cr54-4mf7-rg5v: An issue was discovered in Mbed TLS 32024-09-05
CVEList
CVE-2024-45159: An issue was discovered in Mbed TLS 32024-09-05

📋Vendor Advisories

2
Microsoft
CVE-2024-45159: NIST NVD Details: https://nvd2024-11-12
Debian
CVE-2024-45159: mbedtls - An issue was discovered in Mbed TLS 3.x before 3.6.1. With TLS 1.3, when a serve...2024
CVE-2024-45159 — Improper Certificate Validation in ARM | cvebase