CVE-2024-49195: 
Mbed TLS vulnerability analysis and mitigation

Mbed TLS versions 3.5.x through 3.6.x before 3.6.2 contain a buffer underrun vulnerability in the pkwrite functionality when writing an opaque key pair. The vulnerability was discovered and disclosed on October 15, 2024, affecting the cryptographic functions mbedtlspkwritekeyder() and mbedtlspkwritekeypem() (Mbed Advisory).

The vulnerability occurs when MBEDTLSUSEPSACRYPTO is enabled and the PK context contains an opaque key (MBEDTLSPKOPAQUE). The issue manifests in three specific scenarios: when writing an elliptic curve key pair with mbedtlspkwritekeyder() with MBEDTLSECPC enabled and insufficient output buffer size, when writing an RSA key pair with mbedtlspkwritekeyder() with a small output buffer, and when writing an RSA key pair with mbedtlspkwritekeypem() if MBEDTLSMPIMAXSIZE is less than or equal to 420. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (CISA-ADP).

The vulnerability can result in a buffer underrun of up to the size of the key representation. This can lead to stack or heap corruption depending on the location of the application buffer, potentially allowing for memory corruption and code execution (Mbed Advisory).

Users should upgrade to Mbed TLS version 3.6.2 to resolve the vulnerability. As a workaround, users can ensure that mbedtlspkwritekeyder() is called with a buffer large enough for the content, using PSAEXPORTKEYPAIRMAXSIZE as a safe buffer size. Additionally, mbedtlspkwritekeypem() is safe when MBEDTLSMPIMAXSIZE >= 421 or when MBEDTLSUSEPSA_CRYPTO is disabled (Mbed Advisory).