Mbed TLS and TF-PSA-Crypto Pseudo-Random Number Generator Cloning Vulnerability

A vulnerability exists in Mbed TLS versions prior to 3.6.6 and in TF-PSA-Crypto versions prior to 1.1.0, where the libraries misuse seeds in a Pseudo-Random Number Generator (PRNG). This flaw can lead to insufficient randomness, as cloning an application state that includes a random generator results in multiple instances generating the same random numbers. This is particularly problematic for cryptographic operations, as it can cause the same keys and nonces to be produced across instances, potentially allowing an adversary to exploit this predictability. The issue arises because, before the patched versions, there was no interface to reseed the PSA random generator after cloning, leaving it vulnerable to such attacks.

Impact

Cloning the state of a random generator can lead to identical outputs in all instances until a reseed occurs. This can compromise security by causing both instances to generate the same cryptographic keys and nonces, creating predictable patterns that could be exploited.

Remediation

Users should upgrade to Mbed TLS 4.1.0 or later, or to Mbed TLS 3.6.6 or a later 3.6 version. For TF-PSA-Crypto users, upgrade to version 1.1.0 or later. These versions include functions to control the reseeding of the PSA random generator and automatically reseed the generator after a 'fork()' call. Applications that use legacy random generators must manually reseed after cloning.