CVE-2022-35409 - OpenCVE

An issue was discovered in Mbed TLS before 2.28.1 and 3.x before 3.2.0. In some configurations, an unauthenticated attacker can send an invalid ClientHello message to a DTLS server that causes a heap-based buffer over-read of up to 255 bytes. This can cause a server crash or possibly information disclosure based on error responses. Affected configurations have MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled and MBEDTLS_SSL_IN_CONTENT_LEN less than a threshold that depends on the configuration: 258 bytes if using mbedtls_ssl_cookie_check, and possibly up to 571 bytes with a custom cookie check function.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Debian	Debian Linux
Arm	Mbed Tls

Configuration 1 [-]

OR	cpe:2.3:a:arm:mbed_tls::::::::
	cpe:2.3:a:arm:mbed_tls::::::::

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/Mbed-TLS/mbedtls/releases	Release Notes
https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html	Mailing List Third Party Advisory
https://mbed-tls.readthedocs.io/en/latest/security-advisories/advisories/mbedtls-security-advisory-2022-07.html	Exploit Mitigation Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-07-15T00:00:00

Updated: 2022-12-26T00:00:00

Reserved: 2022-07-08T00:00:00

Link: CVE-2022-35409

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-07-15T14:15:09.840

Modified: 2023-03-03T15:33:32.247

Link: CVE-2022-35409

JSON object: View

Redhat Information

No data.

CWE

CWE-125

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*", "matchCriteriaId": "1A6CE3E9-8C2E-4E08-AC08-94F602216EDD", "versionEndExcluding": "2.28.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*", "matchCriteriaId": "9CEA3354-400D-4AEA-B821-1D30FCA4C657", "versionEndExcluding": "3.2.0", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Mbed TLS before 2.28.1 and 3.x before 3.2.0. In some configurations, an unauthenticated attacker can send an invalid ClientHello message to a DTLS server that causes a heap-based buffer over-read of up to 255 bytes. This can cause a server crash or possibly information disclosure based on error responses. Affected configurations have MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled and MBEDTLS_SSL_IN_CONTENT_LEN less than a threshold that depends on the configuration: 258 bytes if using mbedtls_ssl_cookie_check, and possibly up to 571 bytes with a custom cookie check function."}, {"lang": "es", "value": "Se ha descubierto un problema en Mbed TLS antes de la versi\u00f3n 2.28.1 y 3.x antes de la 3.2.0. En algunas configuraciones, un atacante no autenticado puede enviar un mensaje ClientHello no v\u00e1lido a un servidor DTLS que provoca una sobrelectura del b\u00fafer basada en el mont\u00f3n de hasta 255 bytes. Esto puede causar una ca\u00edda del servidor o posiblemente la divulgaci\u00f3n de informaci\u00f3n basada en las respuestas de error. Las configuraciones afectadas tienen MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE habilitado y MBEDTLS_SSL_IN_CONTENT_LEN menos que un umbral que depende de la configuraci\u00f3n: 258 bytes si se utiliza mbedtls_ssl_cookie_check, y posiblemente hasta 571 bytes con una funci\u00f3n de comprobaci\u00f3n de cookies personalizada"}], "id": "CVE-2022-35409", "lastModified": "2023-03-03T15:33:32.247", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-15T14:15:09.840", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/Mbed-TLS/mbedtls/releases"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/advisories/mbedtls-security-advisory-2022-07.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}