Mbed TLS CVE-2024-45159 TLS 1.3 Optional Client Auth Bypass

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Name: Limited authentication bypass in TLS 1.3 optional client authentication 2. CVE ID: CVE-2024-45159 3. Release Date: 30 August 2024 4. Affected Versions: Mbed TLS 3.2.0 to 3.6.0 5. Severity: Medium 6. Vulnerability Description: - TLS servers can use optional client authentication and then call after the handshake to check whether the client provided a certificate and whether it is valid. - In Mbed TLS 3.6.0, if the client's certificate lacks the and extensions, returns 0, incorrectly indicating that the certificate is valid. - This vulnerability only affects optional client authentication in TLS 1.3 and does not impact mandatory authentication or TLS 1.2. 7. Impact: - Attackers can use valid non-TLS client authentication certificates to perform TLS client authentication. - The certificate must be valid (particularly signed by a trusted CA). 8. Affected Versions: - The vulnerability exists in version 3.2.0, which is the first version supporting client authentication in TLS 1.3. - Prior to 3.6.0, client authentication in TLS 1.3 was disabled by default, so this vulnerability was not present in default builds. - Starting from 3.6.0, client authentication in TLS 1.3 became enabled by default, introducing the vulnerability into default configurations. 9. Solution: - Affected users should upgrade to Mbed TLS 3.6.1. 10. Workaround: - Enforce the use of TLS 1.2 with optional client authentication to avoid this issue. All servers that call should also call . This information helps understand the nature of the vulnerability, its scope of impact, and how to resolve or circumvent the issue.

Goal Reached Thanks to every supporter — we hit 100%!

Mbed TLS CVE-2024-45159 TLS 1.3 Optional Client Auth Bypass