CVE-2025-49600: CWE-325 Missing Cryptographic Step in Mbed mbedtls
In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS (Leighton-Micali Signature) forgery in a fault scenario. Specifically, unchecked return values in mbedtls_lms_verify allow an attacker (who can induce a hardware hash accelerator fault) to bypass LMS signature verification by reusing stale stack data, resulting in acceptance of an invalid signature. In mbedtls_lms_verify, the return values of the internal Merkle tree functions create_merkle_leaf_value and create_merkle_internal_value are not checked. These functions return an integer that indicates whether the call succeeded or not. If a failure occurs, the output buffer (Tc_candidate_root_node) may remain uninitialized, and the result of the signature verification is unpredictable. When the software implementation of SHA-256 is used, these functions will not fail. However, with hardware-accelerated hashing, an attacker could use fault injection against the accelerator to bypass verification.
AI Analysis
Technical Summary
CVE-2025-49600 is a medium-severity vulnerability affecting MbedTLS versions from 3.3.0 up to but not including 3.6.4. The issue lies in the mbedtls_lms_verify function, which is responsible for verifying LMS (Leighton-Micali Signature) signatures. Specifically, the vulnerability arises because the function fails to check the return values of internal Merkle tree computation functions, create_merkle_leaf_value and create_merkle_internal_value. These functions return status codes indicating success or failure. If a failure occurs, particularly during hash computations, the output buffer used in signature verification may remain uninitialized. This leads to unpredictable verification results, potentially allowing invalid signatures to be accepted. The vulnerability is exploitable only in scenarios where hardware-accelerated hashing is used because the software SHA-256 implementation does not fail in this manner. An attacker capable of inducing faults in the hardware hash accelerator (e.g., via fault injection techniques) can cause the hash computation to fail silently, bypass the signature verification process, and forge LMS signatures by reusing stale stack data. This flaw compromises the integrity of signature verification, enabling attackers to impersonate legitimate signers or inject malicious data that appears valid. The vulnerability does not impact confidentiality or availability directly but poses a significant risk to data integrity and trustworthiness of cryptographic signatures. The CVSS 3.1 base score is 4.9 (medium), reflecting the complexity of exploitation (requires physical or close access to induce hardware faults), no privileges required, and no user interaction needed. No known exploits are reported in the wild as of the publication date. No patches were linked at the time of reporting, indicating that affected users should monitor for updates and apply them promptly once available.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems relying on MbedTLS for cryptographic signature verification, especially those using hardware-accelerated hashing modules. Industries such as telecommunications, IoT device manufacturers, embedded systems in automotive or industrial control, and critical infrastructure sectors that employ LMS signatures for firmware or software authenticity verification could be impacted. The ability to forge signatures undermines the integrity of software updates, secure communications, and authentication mechanisms, potentially leading to unauthorized code execution or data manipulation. Although exploitation requires sophisticated fault injection attacks, the threat is more pronounced in environments where hardware security modules or accelerators are deployed without robust physical security controls. European organizations with supply chains or products incorporating vulnerable MbedTLS versions may face risks of counterfeit firmware or malicious updates, which can disrupt operations or compromise safety-critical systems. The medium severity suggests a moderate risk level, but the potential impact on trust and compliance with EU cybersecurity regulations (e.g., NIS2 Directive) could be significant if exploited.
Mitigation Recommendations
1. Immediate mitigation involves auditing all systems and devices using MbedTLS versions 3.3.0 up to but not including 3.6.4, particularly those employing hardware-accelerated hashing. 2. Apply vendor patches or updates as soon as they become available to ensure the return values of internal Merkle tree functions are properly checked and handled. 3. Where possible, disable hardware-accelerated hashing temporarily or configure systems to use the software SHA-256 implementation, which is not vulnerable to this fault injection scenario. 4. Implement physical security measures to prevent fault injection attacks, such as shielding hardware components, monitoring for abnormal hardware behavior, and restricting physical access to critical devices. 5. Conduct thorough testing and validation of cryptographic verification processes after updates or configuration changes to confirm signature verification integrity. 6. Incorporate runtime integrity checks and anomaly detection mechanisms to identify suspicious signature verification outcomes or repeated verification failures. 7. Engage with hardware vendors to understand the fault injection resistance of their accelerators and apply recommended firmware or hardware mitigations. 8. Maintain an inventory of affected devices and ensure supply chain partners are informed to coordinate remediation efforts.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Sweden, Finland, Poland, Belgium
CVE-2025-49600: CWE-325 Missing Cryptographic Step in Mbed mbedtls
Description
In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS (Leighton-Micali Signature) forgery in a fault scenario. Specifically, unchecked return values in mbedtls_lms_verify allow an attacker (who can induce a hardware hash accelerator fault) to bypass LMS signature verification by reusing stale stack data, resulting in acceptance of an invalid signature. In mbedtls_lms_verify, the return values of the internal Merkle tree functions create_merkle_leaf_value and create_merkle_internal_value are not checked. These functions return an integer that indicates whether the call succeeded or not. If a failure occurs, the output buffer (Tc_candidate_root_node) may remain uninitialized, and the result of the signature verification is unpredictable. When the software implementation of SHA-256 is used, these functions will not fail. However, with hardware-accelerated hashing, an attacker could use fault injection against the accelerator to bypass verification.
AI-Powered Analysis
Technical Analysis
CVE-2025-49600 is a medium-severity vulnerability affecting MbedTLS versions from 3.3.0 up to but not including 3.6.4. The issue lies in the mbedtls_lms_verify function, which is responsible for verifying LMS (Leighton-Micali Signature) signatures. Specifically, the vulnerability arises because the function fails to check the return values of internal Merkle tree computation functions, create_merkle_leaf_value and create_merkle_internal_value. These functions return status codes indicating success or failure. If a failure occurs, particularly during hash computations, the output buffer used in signature verification may remain uninitialized. This leads to unpredictable verification results, potentially allowing invalid signatures to be accepted. The vulnerability is exploitable only in scenarios where hardware-accelerated hashing is used because the software SHA-256 implementation does not fail in this manner. An attacker capable of inducing faults in the hardware hash accelerator (e.g., via fault injection techniques) can cause the hash computation to fail silently, bypass the signature verification process, and forge LMS signatures by reusing stale stack data. This flaw compromises the integrity of signature verification, enabling attackers to impersonate legitimate signers or inject malicious data that appears valid. The vulnerability does not impact confidentiality or availability directly but poses a significant risk to data integrity and trustworthiness of cryptographic signatures. The CVSS 3.1 base score is 4.9 (medium), reflecting the complexity of exploitation (requires physical or close access to induce hardware faults), no privileges required, and no user interaction needed. No known exploits are reported in the wild as of the publication date. No patches were linked at the time of reporting, indicating that affected users should monitor for updates and apply them promptly once available.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems relying on MbedTLS for cryptographic signature verification, especially those using hardware-accelerated hashing modules. Industries such as telecommunications, IoT device manufacturers, embedded systems in automotive or industrial control, and critical infrastructure sectors that employ LMS signatures for firmware or software authenticity verification could be impacted. The ability to forge signatures undermines the integrity of software updates, secure communications, and authentication mechanisms, potentially leading to unauthorized code execution or data manipulation. Although exploitation requires sophisticated fault injection attacks, the threat is more pronounced in environments where hardware security modules or accelerators are deployed without robust physical security controls. European organizations with supply chains or products incorporating vulnerable MbedTLS versions may face risks of counterfeit firmware or malicious updates, which can disrupt operations or compromise safety-critical systems. The medium severity suggests a moderate risk level, but the potential impact on trust and compliance with EU cybersecurity regulations (e.g., NIS2 Directive) could be significant if exploited.
Mitigation Recommendations
1. Immediate mitigation involves auditing all systems and devices using MbedTLS versions 3.3.0 up to but not including 3.6.4, particularly those employing hardware-accelerated hashing. 2. Apply vendor patches or updates as soon as they become available to ensure the return values of internal Merkle tree functions are properly checked and handled. 3. Where possible, disable hardware-accelerated hashing temporarily or configure systems to use the software SHA-256 implementation, which is not vulnerable to this fault injection scenario. 4. Implement physical security measures to prevent fault injection attacks, such as shielding hardware components, monitoring for abnormal hardware behavior, and restricting physical access to critical devices. 5. Conduct thorough testing and validation of cryptographic verification processes after updates or configuration changes to confirm signature verification integrity. 6. Incorporate runtime integrity checks and anomaly detection mechanisms to identify suspicious signature verification outcomes or repeated verification failures. 7. Engage with hardware vendors to understand the fault injection resistance of their accelerators and apply recommended firmware or hardware mitigations. 8. Maintain an inventory of affected devices and ensure supply chain partners are informed to coordinate remediation efforts.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2025-06-06T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6867eea86f40f0eb72a12684
Added to database: 7/4/2025, 3:09:28 PM
Last enriched: 7/4/2025, 3:24:43 PM
Last updated: 7/4/2025, 3:24:43 PM
Views: 2
Related Threats
CVE-2025-53482: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Wikimedia Foundation Mediawiki - IPInfo Extension
UnknownCVE-2025-53481: CWE-400 Uncontrolled Resource Consumption in Wikimedia Foundation Mediawiki - IPInfo Extension
HighCVE-2025-49601: CWE-125 Out-of-bounds Read in Mbed mbedtls
MediumCVE-2025-52497: CWE-193 Off-by-one Error in Mbed mbedtls
MediumCVE-2025-52496: CWE-733 Compiler Optimization Removal or Modification of Security-critical Code in Mbed mbedtls
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.