CVE-2021-45450 : What You Need to Know

CVE-2021-45450 is a vulnerability in Mbed TLS versions before 2.28.0 and 3.x before 3.1.0 that allows policy bypass or oracle-based decryption, potentially exposing sensitive data to unauthorized access.

Understanding CVE-2021-45450

What is CVE-2021-45450?

In Mbed TLS versions prior to 2.28.0 and 3.x before 3.1.0, the functions psa_cipher_generate_iv and psa_cipher_encrypt can be exploited by an untrusted application to bypass security policies or decrypt information in memory locations accessible to unauthorized entities.

The Impact of CVE-2021-45450

The vulnerability could lead to a compromise in confidentiality and integrity, allowing attackers to decrypt sensitive data and potentially perform unauthorized actions on affected systems.

Technical Details of CVE-2021-45450

Vulnerability Description

The issue arises due to improper validation of memory access restrictions, enabling unauthorized applications to potentially decrypt sensitive information.

Affected Systems and Versions

Vendor: n/a
Product: n/a
Versions: Mbed TLS versions before 2.28.0 and 3.x before 3.1.0

Exploitation Mechanism

The vulnerability can be exploited by untrusted applications accessing memory locations where the output buffer is stored, leading to policy bypass or oracle-based decryption.

Mitigation and Prevention

Immediate Steps to Take

Update Mbed TLS to version 2.28.0 or 3.1.0, which contain fixes for this vulnerability.
Restrict access to vulnerable systems and applications to trusted entities only.

Long-Term Security Practices

Regularly update software and firmware to patch vulnerabilities.
Implement strong access control mechanisms to prevent unauthorized access to sensitive data.

Patching and Updates

Apply the available patches provided by Mbed TLS to secure the affected systems against potential exploits.