External risk intelligence

Mbed TLS DTLS Heap Buffer Over-read Leads to Server Crash

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2022-35409

An unauthenticated attacker can cause a DTLS server to crash or potentially disclose information by sending an invalid ClientHello message. This vulnerability affects specific configurations of the Mbed TLS cryptographic library, which is commonly used in internet-facing applications and devices.

4Halo Surface Signal

Out-of-bounds Read

Arm Mbed Tls

before 2.28.13.0.0 to before 3.2.010.0

External exposure likelihood

Halo Surface Signal score for CVE-2022-35409

Mbed TLS is a widely used cryptographic library embedded in numerous internet-facing network applications, gateways, and IoT devices. The vulnerability affects the DTLS server implementation, a protocol commonly exposed on the internet to facilitate encrypted communications, making it plausible that affected services are reachable from public networks.

PCI scan relevance

PCI Relevance for CVE-2022-35409

Yes

CVE-2022-35409 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in Mbed TLS allows an unauthenticated attacker to cause a server crash or potential information disclosure. The critical severity (CVSS score of 9.1) makes it relevant for PCI compliance.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This advisory highlights an issue within the Mbed TLS cryptographic library that could allow an unauthenticated attacker to disrupt DTLS server operations, potentially leading to crashes or the disclosure of limited information. The vulnerability is present in certain configurations of the library that handle secure communication protocols, primarily affecting internet-facing network applications, gateways, and IoT devices. The main concern is confirming relevance and exposure.

  • Server crashes or data leaks possible.
  • Widely used library; impacts many connected devices.
  • Confirm if this library is used in your environment.

Attack Path

How an attacker could exploit the issue

An attacker can target a DTLS server by sending a specially crafted, invalid ClientHello message. This message can cause the server to misread data from its memory, potentially leading to a crash or the disclosure of sensitive information. This attack does not require any prior authentication or access to the server.

  • No authentication needed to attack.
  • Triggered by sending invalid client hello.
  • Server crash or information disclosure.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, an unauthenticated attacker could crash a DTLS server or potentially cause information disclosure through error responses by sending a crafted ClientHello message. This could affect servers running Mbed TLS in specific configurations where DTLS client port reuse is enabled and the content length is limited.

  • Server availability and information disclosure.
  • Malformed DTLS messages.
  • Denial of service or data leakage.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Infrastructure and platform teams are primarily responsible for managing the Mbed TLS library, as it's often integrated into network services and devices. The first practical step is to inventory all systems using Mbed TLS, confirm if they are internet-reachable or critical, and identify the accountable owner for each. Remediation planning should then proceed based on the assessed risk, potentially involving vendor coordination for updates or temporary mitigations if direct patching isn't immediately feasible.

  • Identify infrastructure and platform owners.
  • Confirm exposure and criticality of systems.
  • Plan risk-based remediation actions.

Frequently asked questions

What is Mbed TLS and what is it used for?

Mbed TLS is a cryptographic library. It is used to provide secure communication protocols, often embedded in network applications, gateways, and Internet of Things (IoT) devices.

How does CVE-2022-35409 affect Mbed TLS?

CVE-2022-35409 is a heap-based buffer over-read vulnerability. In specific configurations, an attacker can send a malformed message to a DTLS server, causing it to read beyond its allocated memory, which can lead to a server crash or potential information disclosure.

What are the preconditions for an attacker to exploit this vulnerability?

An attacker needs to send an invalid ClientHello message to a DTLS server. This attack does not require any authentication or prior access to the server, and it specifically targets configurations where DTLS client port reuse is enabled and the content length is limited.

Who should be concerned about this CVE based on its exposure?

Organizations with internet-facing network applications, gateways, or IoT devices that use Mbed TLS should be concerned. This vulnerability affects DTLS servers, which are protocols commonly exposed to the public internet for secure communication.

What is the first step for managing this threat?

The initial step is to inventory all systems that use the Mbed TLS library. Following that, confirm if these systems are internet-reachable or critical, and identify the responsible owner for each system to plan appropriate remediation actions.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified