CVE-2017-18187

moderate-risk

Published 2018-02-14

In ARM mbed TLS before 2.7.0, there is a bounds-check bypass through an integer overflow in PSK identity parsing in the ssl_parse_client_psk_identity() function in library/ssl_srv.c.

Do I need to act?

0.56% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Fix available

Upgrade to: 32605dc83042d737e715a685e53176388d73540e, 83c9f495ffe70c7dd280b41fdfd4881485a3bc28

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (3)

Mbed Tls

Debian Linux

Affected Vendors

Debian Arm

References (14)

Third Party Advisory http://www.securityfocus.com/bid/103055

Third Party Advisory https://github.com/ARMmbed/mbedtls/blob/master/ChangeLog

Patch https://github.com/ARMmbed/mbedtls/commit/83c9f495ffe70c7dd280b41fdfd4881485a3bc...

Third Party Advisory https://security.gentoo.org/glsa/201804-19

https://usn.ubuntu.com/4267-1/

Third Party Advisory https://www.debian.org/security/2018/dsa-4138

Third Party Advisory https://www.debian.org/security/2018/dsa-4147

Third Party Advisory http://www.securityfocus.com/bid/103055

Third Party Advisory https://github.com/ARMmbed/mbedtls/blob/master/ChangeLog

Patch https://github.com/ARMmbed/mbedtls/commit/83c9f495ffe70c7dd280b41fdfd4881485a3bc...

Third Party Advisory https://security.gentoo.org/glsa/201804-19

https://usn.ubuntu.com/4267-1/

Third Party Advisory https://www.debian.org/security/2018/dsa-4138

Third Party Advisory https://www.debian.org/security/2018/dsa-4147

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 2/34 · Minimal

Exposure 9/34 · Low