Mbed TLS and TF-PSA-Crypto Finite-Field Diffie-Hellman Lack of Contributory Behavior Vulnerability

A vulnerability exists in Mbed TLS versions 3.5.x and 3.6.x prior to 3.6.5, as well as in TF-PSA-Crypto 1.0. The issue arises from improper input validation in finite-field Diffie-Hellman (FFDH) key agreement, allowing a peer to manipulate the shared secret into a limited range of values. This lack of contributory behavior could be problematic for certain protocols that rely on it, although TLS 1.3 is not affected due to its handshake mechanics. The vulnerability can be exploited by the peer or, in some protocols, by an active network attacker.

Impact

Exploitation of this vulnerability allows a peer to control the FFDH shared secret, forcing it into a small set of values. While this could disrupt protocols requiring contributory behavior, TLS 1.3 is not impacted for specific reasons related to how the protocol manages key agreement.

Remediation

Users should upgrade to Mbed TLS 3.6.6 or later, or TF-PSA-Crypto 1.1.0 or later. For those maintaining branches with backported bug fixes, relevant commits are available.