Mbed TLS and TF-PSA-Crypto Predictable Seed in Pseudo-Random Number Generator

A vulnerability exists in Mbed TLS versions prior to 3.6.6, in Mbed TLS 4.x prior to 4.1.0, and in TF-PSA-Crypto versions prior to 1.1.0. The issue arises because the libraries can fall back to using `/dev/urandom` for entropy on Linux systems, which may lead to predictable random data being used in cryptographic operations. This is particularly problematic on embedded devices without hardware random generators, where `/dev/urandom` can return predictable data early in the boot process or during OS installation.

Impact

If an application uses an affected version of the library on Linux and relies on `/dev/urandom`` at a time when the system lacks sufficient entropy, cryptographic operations may be compromised. This could result in predictable keys being generated, especially concerning ECDSA signatures, which could jeopardize the associated signature key.

Remediation

Users should upgrade to Mbed TLS 3.6.6 or a later 3.6.x version, or to TF-PSA-Crypto 1.1.0 or above. In these versions, the library uses `/dev/random` if `getrandom()` is unavailable, which is safer, although it may block on older Linux kernels. For Mbed TLS, package maintainers can revert to `/dev/urandom` by setting the `MBEDTLS_PLATFORM_DEV_RANDOM` option. Applications may also adjust the `mbedtls_platform_dev_random` variable to override the default setting.