CVE-2023-43615: 
Mbed TLS vulnerability analysis and mitigation

CVE-2023-43615 affects Mbed TLS versions 2.x before 2.28.5 and 3.x before 3.5.0, involving a Buffer Overflow vulnerability. The vulnerability was discovered and disclosed in October 2023, impacting the Mbed TLS cryptographic and SSL/TLS library, which is a lightweight open-source library written in C that provides cryptographic and SSL/TLS capabilities for embedded applications (Mbed Advisory, NVD).

The vulnerability occurs when a peer in a (D)TLS connection using a null-cipher or RC4 cipher suite sends a malformed encrypted record. The TLS parsing code calculates the MAC of the record by subtracting the MAC length from the record length without proper validation, potentially leading to a buffer overread of nearly SIZE_MAX bytes. This affects all protocol versions up to 1.2, including DTLS, but TLS 1.3 is not affected. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (Mbed Advisory, NVD).

The vulnerability can allow a remote attacker to cause a crash or information disclosure. On platforms with memory protection, this typically results in a memory access fault. For platforms without memory protection, if the address space contains memory-mapped peripherals, the read operations can cause unpredictable results (Mbed Advisory).

Users should upgrade to Mbed TLS 3.5.0 or 2.28.5 depending on their current branch. For those unable to upgrade immediately, several workarounds exist: ensure MBEDTLSCIPHERNULLCIPHER is not enabled in version 3.x or 2.28, and in version 2.28 ensure MBEDTLSREMOVEARC4CIPHERSUITES is enabled or MBEDTLSARC4C is not enabled. Additionally, vulnerable cipher suites can be disabled at runtime using mbedtlssslconfciphersuites() or mbedtlssslconfciphersuitesforversion(). A firewall preventing the negotiation of null-cipher or RC4 cipher suites will also prevent exploitation (Mbed Advisory).