CVE-2022-35409 – This vulnerability in Mbed TLS allows unauthent... (How to Fix)

Q: What is the severity of CVE-2022-35409?

CVE-2022-35409 has a CVSS score of 9.1 (CRITICAL). This vulnerability in Mbed TLS allows unauthenticated attackers to send specially crafted DTLS ClientHello messages to servers with specific configurations, causing heap buffer over-reads of up to 255 bytes. This can lead to server crashes or potential information disclosure through error responses. Systems are affected if they use Mbed TLS with DTLS client port reuse enabled and insufficient buffer sizes.

📋 TL;DR

This vulnerability in Mbed TLS allows unauthenticated attackers to send specially crafted DTLS ClientHello messages to servers with specific configurations, causing heap buffer over-reads of up to 255 bytes. This can lead to server crashes or potential information disclosure through error responses. Systems are affected if they use Mbed TLS with DTLS client port reuse enabled and insufficient buffer sizes.

💻 Affected Systems

Products:

Mbed TLS

Versions: Versions before 2.28.1 and 3.x before 3.2.0

Operating Systems: All operating systems using affected Mbed TLS versions

Default Config Vulnerable: ✅ No

Notes: Requires MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled and MBEDTLS_SSL_IN_CONTENT_LEN less than threshold (258 bytes with mbedtls_ssl_cookie_check, up to 571 bytes with custom cookie check).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Server crash leading to denial of service, or information disclosure of up to 255 bytes of heap memory through error responses, potentially exposing sensitive data.

🟠

Likely Case

Server crash causing denial of service, disrupting DTLS services and affecting availability.

🟢

If Mitigated

No impact if vulnerable configurations are disabled or patches are applied.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malformed DTLS packets to vulnerable servers with specific configurations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Mbed TLS 2.28.1 or 3.2.0

Vendor Advisory: https://mbed-tls.readthedocs.io/en/latest/security-advisories/advisories/mbedtls-security-advisory-2022-07.html

Restart Required: Yes

Instructions:

1. Update Mbed TLS to version 2.28.1 or 3.2.0. 2. Recompile applications using Mbed TLS. 3. Restart affected services.

🔧 Temporary Workarounds

Disable DTLS client port reuse

all

Disable MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE in configuration to prevent exploitation.

# In mbedtls_config.h or build configuration, set MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE to 0

Increase buffer size

all

Ensure MBEDTLS_SSL_IN_CONTENT_LEN is set to at least 258 bytes (or 571 if using custom cookie check).

# In mbedtls_config.h, set MBEDTLS_SSL_IN_CONTENT_LEN to 258 or higher

🧯 If You Can't Patch

Disable DTLS services if not required
Implement network filtering to block DTLS traffic from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check Mbed TLS version and configuration: verify if version is below 2.28.1 or 3.2.0, and if MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE is enabled with insufficient MBEDTLS_SSL_IN_CONTENT_LEN.

Check Version:

# For applications using Mbed TLS, check version in source or via mbedtls_version_get_string()

Verify Fix Applied:

Confirm Mbed TLS version is 2.28.1 or higher for 2.x branch, or 3.2.0 or higher for 3.x branch.

📡 Detection & Monitoring

Log Indicators:

DTLS connection errors, server crashes, or abnormal termination logs

Network Indicators:

Malformed DTLS ClientHello packets with unusual sizes

SIEM Query:

Search for DTLS protocol errors or server crash events in application logs

📊 Metadata

CVE ID: CVE-2022-35409

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-125

Published: July 15, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/Mbed-TLS/mbedtls/releases Release Notes
https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html Mailing List,Third Party Advisory
https://mbed-tls.readthedocs.io/en/latest/security-advisories/advisories/mbedtls-security-advisory-2022-07.html Exploit,Mitigation,Vendor Advisory
https://github.com/Mbed-TLS/mbedtls/releases Release Notes
https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html Mailing List,Third Party Advisory
https://mbed-tls.readthedocs.io/en/latest/security-advisories/advisories/mbedtls-security-advisory-2022-07.html Exploit,Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-35409, you might also want to check these: