CVE-2022-35409 - OpenCVE

An issue was discovered in Mbed TLS before 2.28.1 and 3.x before 3.2.0. In some configurations, an unauthenticated attacker can send an invalid ClientHello message to a DTLS server that causes a heap-based buffer over-read of up to 255 bytes. This can cause a server crash or possibly information disclosure based on error responses. Affected configurations have MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled and MBEDTLS_SSL_IN_CONTENT_LEN less than a threshold that depends on the configuration: 258 bytes if using mbedtls_ssl_cookie_check, and possibly up to 571 bytes with a custom cookie check function.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Arm	Mbed Tls
Debian	Debian Linux

Configuration 1 [-]

OR	cpe:2.3:a:arm:mbed_tls::::::::
	cpe:2.3:a:arm:mbed_tls::::::::

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/Mbed-TLS/mbedtls/releases
https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html
https://mbed-tls.readthedocs.io/en/latest/security-advisories/advisories/mbedtls-security-advisory-2022-07.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-07-15T00:00:00

Updated: 2024-08-03T09:36:44.078Z

Reserved: 2022-07-08T00:00:00

Link: CVE-2022-35409

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-07-15T14:15:09.840

Modified: 2023-03-03T15:33:32.247

Link: CVE-2022-35409

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-35409", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T09:36:44.078Z", "dateReserved": "2022-07-08T00:00:00", "datePublished": "2022-07-15T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-12-26T00:00:00"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Mbed TLS before 2.28.1 and 3.x before 3.2.0. In some configurations, an unauthenticated attacker can send an invalid ClientHello message to a DTLS server that causes a heap-based buffer over-read of up to 255 bytes. This can cause a server crash or possibly information disclosure based on error responses. Affected configurations have MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled and MBEDTLS_SSL_IN_CONTENT_LEN less than a threshold that depends on the configuration: 258 bytes if using mbedtls_ssl_cookie_check, and possibly up to 571 bytes with a custom cookie check function."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/Mbed-TLS/mbedtls/releases"}, {"url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/advisories/mbedtls-security-advisory-2022-07.html"}, {"name": "[debian-lts-announce] 20221225 [SECURITY] [DLA 3249-1] mbedtls security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:36:44.078Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/Mbed-TLS/mbedtls/releases", "tags": ["x_transferred"]}, {"url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/advisories/mbedtls-security-advisory-2022-07.html", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20221225 [SECURITY] [DLA 3249-1] mbedtls security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*", "matchCriteriaId": "1A6CE3E9-8C2E-4E08-AC08-94F602216EDD", "versionEndExcluding": "2.28.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*", "matchCriteriaId": "9CEA3354-400D-4AEA-B821-1D30FCA4C657", "versionEndExcluding": "3.2.0", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Mbed TLS before 2.28.1 and 3.x before 3.2.0. In some configurations, an unauthenticated attacker can send an invalid ClientHello message to a DTLS server that causes a heap-based buffer over-read of up to 255 bytes. This can cause a server crash or possibly information disclosure based on error responses. Affected configurations have MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled and MBEDTLS_SSL_IN_CONTENT_LEN less than a threshold that depends on the configuration: 258 bytes if using mbedtls_ssl_cookie_check, and possibly up to 571 bytes with a custom cookie check function."}, {"lang": "es", "value": "Se ha descubierto un problema en Mbed TLS antes de la versi\u00f3n 2.28.1 y 3.x antes de la 3.2.0. En algunas configuraciones, un atacante no autenticado puede enviar un mensaje ClientHello no v\u00e1lido a un servidor DTLS que provoca una sobrelectura del b\u00fafer basada en el mont\u00f3n de hasta 255 bytes. Esto puede causar una ca\u00edda del servidor o posiblemente la divulgaci\u00f3n de informaci\u00f3n basada en las respuestas de error. Las configuraciones afectadas tienen MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE habilitado y MBEDTLS_SSL_IN_CONTENT_LEN menos que un umbral que depende de la configuraci\u00f3n: 258 bytes si se utiliza mbedtls_ssl_cookie_check, y posiblemente hasta 571 bytes con una funci\u00f3n de comprobaci\u00f3n de cookies personalizada"}], "id": "CVE-2022-35409", "lastModified": "2023-03-03T15:33:32.247", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-15T14:15:09.840", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/Mbed-TLS/mbedtls/releases"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/advisories/mbedtls-security-advisory-2022-07.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}