Vulnerability Mbed TLS via MBEDTLS_SSL_DTLS_CONNECTION_ID


Synthesis of the vulnerability 


An attacker can force a read at an invalid memory address of Mbed TLS, via MBEDTLS_SSL_DTLS_CONNECTION_ID, in order to trigger a denial of service, or to obtain sensitive information.
Vulnerable software: Fedora, SLES.
Severity of this announce: 2/4.
Creation date: 02/01/2023.
Références of this computer vulnerability: CVE-2022-46393, FEDORA-2023-3c4a525dcc, FEDORA-2023-7456a62f60, VIGILANCE-VUL-40201.

Description of the vulnerability 


The Mbed TLS product allocates memory for its internal processing.

However, it tries to read a memory area located outside the expected range, which triggers a fatal error, or leads to the disclosure of a memory fragment.

An attacker can therefore force a read at an invalid memory address of Mbed TLS, via MBEDTLS_SSL_DTLS_CONNECTION_ID, in order to trigger a denial of service, or to obtain sensitive information.
Full bulletin, software filtering, emails, fixes, … (request your free trial)

This threat impacts software or systems such as Fedora, SLES.

Our Vigilance Vulnerability Alerts team determined that the severity of this computer threat is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this cybersecurity bulletin.

Solutions for this threat 


Fedora 36: new mbedtls packages.
New packages are available:
  Fedora 36: mbedtls 2.28.2-1.fc36

Fedora 37: new mbedtls packages.
New packages are available:
  Fedora 37: mbedtls 2.28.2-1.fc37

SUSE LE 15 SP4: new mbedtls packages.
New packages are available:
  SUSE LE 15 SP4: mbedtls-devel 2.28.0-bp154.2.3.1, libmbedcrypto7 2.28.0-bp154.2.3.1, libmbedcrypto7-32bit 2.28.0-bp154.2.3.1, etc.
Full bulletin, software filtering, emails, fixes, … (request your free trial)

Computer vulnerabilities alerting service 


The Vigilance Vulnerability Alerts offer can be used to see the full notice.


Read more here: Source link