CVE-2024-45157

Name of the Vulnerable Software and Affected Versions Mbed TLS versions prior to 2.28.9 Mbed TLS versions 3.x prior to 3.6.1

Description The issue is related to the misuse of a cryptographic algorithm in Mbed TLS, where the user-selected algorithm is not used. Specifically, enabling MBEDTLS PSA HMAC DRBG MD TYPE does not cause the PSA subsystem to use HMAC DRBG, unless MBEDTLS PSA CRYPTO EXTERNAL RNG and MBEDTLS CTR DRBG C are disabled. This could potentially allow an attacker to expose protected information.

Recommendations For Mbed TLS versions prior to 2.28.9, update to version 2.28.9 or later to resolve the issue. For Mbed TLS versions 3.x prior to 3.6.1, update to version 3.6.1 or later to resolve the issue. As a temporary workaround, consider disabling the use of the PSA subsystem until a patch is available. Restrict access to sensitive information to minimize the risk of exploitation.