CVE-2017-18187 Information

Description

In ARM mbed TLS before 2.7.0 there is a bounds-check bypass through an integer overflow in PSK identity parsing in the ssl_parse_client_psk_identity() function in library/ssl_srv.c.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

http://www.securityfocus.com/bid/103055 https://github.com/ARMmbed/mbedtls/blob/master/ChangeLog https://github.com/ARMmbed/mbedtls/commit/83c9f495ffe70c7dd280b41fdfd4881485a3bc28 https://security.gentoo.org/glsa/201804-19 https://usn.ubuntu.com/4267-1/ https://www.debian.org/security/2018/dsa-4138 https://www.debian.org/security/2018/dsa-4147

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8