Your Loyalty Card is a Liability: Lessons from the Co-op Attack

Source: https://substack.com/@alex133134/note/p-168474995?r=625rp3&utm_medium=ios&utm_source=notes-share-action

Reddit NetSec

Detailed information about Your Loyalty Card is a Liability: Lessons from the Co-op Attack. Get real-time updates, technical details, and mitigation strategies.

Your Loyalty Card is a Liability: Lessons from the Co-op Attack - Live Threat Intelligence - Threat Radar | OffSeq.com

Your Loyalty Card is a Liability: Lessons from the Co-op Attack

Reddit Discussion: Your Loyalty Card is a Liability: Lessons from the Co-op Attack

Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head argument that is documented as an output argument. The documentation does not suggest that the function will free that pointer; however, the function does call mbedtls_asn1_free_named_data_list() on that argument, which performs a deep free(). As a result, application code that uses this function (relying only on documented behavior) is likely to still hold pointers to the memory blocks that were freed, resulting in a high risk of use-after-free or double-free. In particular, the two sample programs x509/cert_write and x509/cert_req are affected (use-after-free if the san string contains more than one DN).

CVE-2025-47917 is a high-severity use-after-free vulnerability (CWE-416) found in Mbed TLS, a widely used open-source cryptographic library designed for embedded systems and IoT devices. The vulnerability exists in versions prior to 3.6.4, specifically in the function mbedtls_x509_string_to_names(). This function is intended to parse X.509 certificate subject alternative names (SANs) and takes a 'head' argument documented as an output parameter. However, contrary to documentation, the function internally calls mbedtls_asn1_free_named_data_list() on this argument, which performs a deep free of the memory pointed to by 'head'. As a result, application code that relies solely on the documented behavior may continue to use pointers to memory that has already been freed, leading to use-after-free or double-free conditions. This discrepancy creates a high risk of memory corruption, which can be exploited to cause application crashes, denial of service, or potentially arbitrary code execution if an attacker can control the input data, such as SAN strings containing multiple distinguished names. The vulnerability affects applications developed according to the official documentation, including the Mbed TLS sample programs x509/cert_write and x509/cert_req when the SAN string contains more than one DN. The CVSS v3.1 score is 8.9, reflecting network attack vector, high impact on integrity and availability, and low attack complexity without privileges or user interaction. No known exploits are currently reported in the wild, and no official patches are linked yet, indicating the need for immediate attention from developers using affected versions of Mbed TLS.

CVE Database V5

Detailed information about CVE-2025-47917: CWE-416 Use After Free in Mbed mbedtls affecting Mbed mbedtls. Get real-time updates, technical details, and mitigati

CVE-2025-47917: CWE-416 Use After Free in Mbed mbedtls - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-47917: CWE-416 Use After Free in Mbed mbedtls

In Mbed TLS 3.6.1 through 3.6.3 before 3.6.4, a timing discrepancy in block cipher padding removal allows an attacker to recover the plaintext when PKCS#7 padding mode is used.

CVE-2025-49087 is a medium-severity vulnerability identified in Mbed TLS versions 3.6.1 through 3.6.3, specifically affecting the block cipher padding removal process when using PKCS#7 padding mode. The vulnerability arises due to a timing discrepancy during the removal of padding bytes after decryption. PKCS#7 padding adds bytes to plaintext to align it to the block size, and during decryption, these padding bytes are removed. In the affected versions of Mbed TLS, the time taken to remove padding varies depending on the correctness of the padding bytes. This timing difference creates a covert timing channel (classified under CWE-385), which an attacker can exploit to infer information about the plaintext. By carefully measuring the time taken for decryption operations, an attacker can gradually recover plaintext data without needing direct access to the decrypted output. The vulnerability does not require any privileges or user interaction and can be exploited remotely over a network, but it has a high attack complexity, meaning that successful exploitation requires precise timing measurements and conditions. The CVSS score of 4.0 reflects limited confidentiality impact (partial plaintext recovery), no impact on integrity or availability, and the requirement for high attack complexity. No known exploits are currently reported in the wild, and no official patches have been linked yet, although it is expected that Mbed will release a fix in version 3.6.4 or later. This vulnerability is particularly relevant for applications relying on Mbed TLS for secure communications, such as embedded devices, IoT systems, and network appliances that use PKCS#7 padding in their cryptographic operations.

Detailed information about CVE-2025-49087: CWE-385 Covert Timing Channel in Mbed mbedtls affecting Mbed mbedtls. Get real-time updates, technical details, and m

CVE-2025-49087: CWE-385 Covert Timing Channel in Mbed mbedtls - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-49087: CWE-385 Covert Timing Channel in Mbed mbedtls

Mbed TLS before 3.6.4 has a NULL pointer dereference because mbedtls_asn1_store_named_data can trigger conflicting data with val.p of NULL but val.len greater than zero.

CVE-2025-48965 is a medium severity vulnerability identified in Mbed TLS, a widely used open-source cryptographic library designed for embedded systems and IoT devices. The flaw arises from an incorrect behavior order in the function mbedtls_asn1_store_named_data, which handles ASN.1 encoded data storage. Specifically, the vulnerability is a NULL pointer dereference triggered when the function processes conflicting data where the pointer val.p is NULL but the length val.len is greater than zero. This inconsistency can cause the software to dereference a NULL pointer, leading to a crash or denial of service (DoS). The vulnerability affects all versions of Mbed TLS prior to 3.6.4. The CVSS v3.1 base score is 4.0, indicating a medium severity level. The vector indicates that the attack vector is network-based (AV:N), requires high attack complexity (AC:H), no privileges (PR:N), no user interaction (UI:N), and the scope is changed (S:C). The impact is limited to availability (A:L), with no confidentiality or integrity impact. There are no known exploits in the wild as of the publication date, and no patches are linked yet. This vulnerability could be exploited remotely to cause a denial of service by crashing applications relying on Mbed TLS for cryptographic operations, potentially disrupting services or embedded devices that depend on secure communications. Given Mbed TLS's role in securing communications in embedded and IoT environments, this vulnerability could affect a broad range of devices and applications if exploited.

Detailed information about CVE-2025-48965: CWE-696 Incorrect Behavior Order in Mbed mbedtls affecting Mbed mbedtls. Get real-time updates, technical details, an

CVE-2025-48965: CWE-696 Incorrect Behavior Order in Mbed mbedtls - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-48965: CWE-696 Incorrect Behavior Order in Mbed mbedtls

A vulnerability has been found in itsourcecode Insurance Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /insertPayment.php. The manipulation of the argument recipt_no leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Detailed information about CVE-2025-7905: SQL Injection in itsourcecode Insurance Management System affecting itsourcecode Insurance Management System. Get real

CVE-2025-7905: SQL Injection in itsourcecode Insurance Management System

CVE-2025-7905: SQL Injection in itsourcecode Insurance Management System

Description

Technical Details

Related Threats

CVE-2025-47917: CWE-416 Use After Free in Mbed mbedtls

CVE-2025-49087: CWE-385 Covert Timing Channel in Mbed mbedtls

CVE-2025-48965: CWE-696 Incorrect Behavior Order in Mbed mbedtls

CVE-2025-7904: SQL Injection in itsourcecode Insurance Management System

CVE-2025-7903: Improper Restriction of Rendered UI Layers in yangzongzhuan RuoYi

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility