Bug 1201581 (CVE-2022-35409)

Summary: VUL-0: CVE-2022-35409: mbedtls: Buffer overread in DTLS ClientHello parsing
Product: [openSUSE] openSUSE Distribution Reporter: Hu <cathy.hu>
Component: SecurityAssignee: Martin Pluskal <mpluskal>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: abergmann
Version: Leap 15.4   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/337399/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Hu 2022-07-18 08:08:23 UTC 
CVE-2022-35409

An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.2.0. In some
configurations, an unauthenticated attacker can send an invalid ClientHello
message to a DTLS server that causes a heap-based buffer over-read of up to 255
bytes. This can cause a server crash or possibly information disclosure based on
error responses. Affected configurations have MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
enabled and MBEDTLS_SSL_IN_CONTENT_LEN less than a threshold that depends on the
configuration: 258 bytes if using mbedtls_ssl_cookie_check, and possibly up to
571 bytes with a custom cookie check function.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-35409
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35409
https://github.com/Mbed-TLS/mbedtls/releases
https://mbed-tls.readthedocs.io/en/latest/security-advisories/advisories/mbedtls-security-advisory-2022-07.html
Comment 1 Hu 2022-07-18 08:08:36 UTC 
Affected:
- openSUSE:Backports:SLE-15-SP3:Update/mbedtls  2.16.9
- openSUSE:Backports:SLE-15-SP4/mbedtls         2.28.0
- openSUSE:Factory/mbedtls                      2.28.0
Comment 2 Alexander Bergmann 2022-12-21 12:52:40 UTC 
Upstream fix:
https://github.com/Mbed-TLS/mbedtls/commit/e5af9fabf7d68e3807b6ea78792794b8352dbba2

Only SLE-15-SP3 is still affected. All other code streams are already fixed.
Comment 3 OBSbugzilla Bot 2022-12-21 13:55:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1201581) was mentioned in
https://build.opensuse.org/request/show/1044081 Backports:SLE-15-SP3 / mbedtls
Comment 4 Swamp Workflow Management 2022-12-22 17:20:07 UTC 
openSUSE-SU-2022:10247-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1201581
CVE References: CVE-2021-35409,CVE-2022-35409
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    mbedtls-2.16.9-bp153.2.8.1