CVE-2022-35409

Vulnerability

Mbed TLS versions up to and including 2.28.0 and 3.1.0 contain a heap-based buffer over-read vulnerability in the DTLS server's ClientHello parsing. The flaw occurs when MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE is enabled and MBEDTLS_SSL_IN_CONTENT_LEN is set below a config-dependent threshold (258 bytes with the default cookie check function, up to 571 bytes with a custom cookie check). An attacker can send a malformed ClientHello whose cookie length field exceeds the actual message length, causing the server to read up to 255 bytes beyond the message boundary into the heap [1].

Exploitation

An unauthenticated remote attacker only needs network access to the DTLS server. The attacker sends a crafted ClientHello with an invalid cookie length declared to be greater than the remaining message size. The server, during DTLS cookie verification, reads past the end of the received message based on that declared length. The default cookie check mbedtls_ssl_cookie_check() requires the cookie length to match the expected value (28 bytes with SHA-256), so successful exploitation depends on the server's configuration; a custom cookie check may be more permissive [1].

Impact

Successful exploitation causes a heap-based buffer over-read of up to 255 bytes. This can lead to a server crash (denial of service), or potentially to information disclosure if the over-read data influences the cookie check function's behavior or error responses [1]. The attacker does not gain code execution or write access.

Mitigation

Upgrade to Mbed TLS 2.28.1 or 3.2.0, released on 2022-07-11 [1]. Users unable to upgrade can mitigate by setting MBEDTLS_SSL_IN_CONTENT_LEN to a sufficiently large value (at least 258 bytes with default settings, or higher with a custom cookie check) [1]. No workaround is needed if the default value is already large enough.