Skip to main content

CVE-2025-49600: CWE-325 Missing Cryptographic Step in Mbed mbedtls

Medium
VulnerabilityCVE-2025-49600cvecve-2025-49600cwe-325
Published: Fri Jul 04 2025 (07/04/2025, 00:00:00 UTC)
Source: CVE Database V5
Vendor/Project: Mbed
Product: mbedtls

Description

In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS (Leighton-Micali Signature) forgery in a fault scenario. Specifically, unchecked return values in mbedtls_lms_verify allow an attacker (who can induce a hardware hash accelerator fault) to bypass LMS signature verification by reusing stale stack data, resulting in acceptance of an invalid signature. In mbedtls_lms_verify, the return values of the internal Merkle tree functions create_merkle_leaf_value and create_merkle_internal_value are not checked. These functions return an integer that indicates whether the call succeeded or not. If a failure occurs, the output buffer (Tc_candidate_root_node) may remain uninitialized, and the result of the signature verification is unpredictable. When the software implementation of SHA-256 is used, these functions will not fail. However, with hardware-accelerated hashing, an attacker could use fault injection against the accelerator to bypass verification.

AI-Powered Analysis

AILast updated: 07/14/2025, 21:23:59 UTC

Technical Analysis

CVE-2025-49600 is a medium-severity vulnerability affecting MbedTLS versions from 3.3.0 up to but not including 3.6.4. The flaw resides in the mbedtls_lms_verify function, which is responsible for verifying LMS (Leighton-Micali Signature) signatures. The vulnerability arises because the function does not check the return values of internal Merkle tree functions create_merkle_leaf_value and create_merkle_internal_value. These functions return status codes indicating success or failure, but if a failure occurs, the output buffer (Tc_candidate_root_node) may remain uninitialized. This leads to unpredictable signature verification results. The issue is particularly exploitable when hardware-accelerated hashing is used, as an attacker capable of inducing faults in the hardware hash accelerator can cause these functions to fail silently. By doing so, the attacker can reuse stale stack data to bypass signature verification, effectively forging LMS signatures. When the software implementation of SHA-256 is used, these functions do not fail, so the vulnerability is limited to environments using hardware acceleration. This fault injection attack vector requires the attacker to have the capability to induce hardware faults, which is a high-complexity attack scenario. The vulnerability impacts the integrity of cryptographic verification but does not affect confidentiality or availability. No known exploits are reported in the wild as of the publication date. No patches are currently linked, indicating that remediation may require upgrading beyond version 3.6.4 or applying vendor fixes once available.

Potential Impact

For European organizations, this vulnerability poses a risk primarily to systems relying on MbedTLS for cryptographic signature verification, especially those using hardware-accelerated hashing modules. The ability to forge LMS signatures undermines the integrity of digital signatures, potentially allowing attackers to bypass authentication, validate malicious firmware or software updates, or impersonate trusted entities. This can lead to unauthorized code execution, supply chain compromise, or fraudulent transactions. Sectors such as telecommunications, critical infrastructure, IoT device manufacturers, and embedded systems developers in Europe are particularly at risk, as they often use MbedTLS in constrained environments with hardware acceleration for performance. The attack complexity is high due to the need for fault injection capabilities, which limits widespread exploitation but does not eliminate targeted attacks by sophisticated adversaries. The medium CVSS score reflects the limited attack vector and lack of confidentiality or availability impact but highlights the significant integrity risk. Organizations relying on hardware-accelerated cryptographic verification should be vigilant, as successful exploitation could undermine trust in digital signatures and cryptographic assurances.

Mitigation Recommendations

European organizations should first identify all systems and devices using affected MbedTLS versions (3.3.0 up to 3.6.4) with hardware-accelerated hashing enabled. Immediate mitigation steps include: 1) Upgrading MbedTLS to version 3.6.4 or later where the vulnerability is fixed. 2) If upgrading is not immediately feasible, disabling hardware acceleration for hashing temporarily to force use of the software SHA-256 implementation, which is not vulnerable. 3) Implementing hardware fault detection and mitigation mechanisms to prevent fault injection attacks, such as monitoring for abnormal hardware behavior or using hardware with built-in fault resistance. 4) Enhancing code auditing and error checking in cryptographic verification functions to ensure all return values are validated. 5) Employing layered security controls such as code signing with multiple independent verification steps and runtime integrity checks to detect forged signatures. 6) Monitoring for anomalous signature verification failures or suspicious activity that may indicate exploitation attempts. These steps go beyond generic advice by focusing on the specific fault injection vector and hardware acceleration context of this vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2025-06-06T00:00:00.000Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6867eea86f40f0eb72a12684

Added to database: 7/4/2025, 3:09:28 PM

Last enriched: 7/14/2025, 9:23:59 PM

Last updated: 7/14/2025, 9:23:59 PM

Views: 11

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats