CVE-2022-35409: 
Mbed TLS vulnerability analysis and mitigation

An issue was discovered in Mbed TLS before 2.28.1 and 3.x before 3.2.0 affecting DTLS servers. The vulnerability (CVE-2022-35409) was disclosed on July 11, 2022, and involves an unauthenticated attacker being able to send an invalid ClientHello message that causes a heap-based buffer over-read of up to 255 bytes (Mbed Advisory).

The vulnerability occurs when MBEDTLSSSLDTLSCLIENTPORTREUSE is enabled and MBEDTLSSSLINCONTENTLEN is set below a certain threshold. An attacker can send a malformed ClientHello message where the declared length of the cookie extends past the end of the message. The threshold depends on the configuration: 258 bytes when using mbedtlssslcookiecheck, and potentially up to 571 bytes with a custom cookie check function (Mbed Advisory).

The vulnerability can lead to a server crash or potential information disclosure based on error responses. When exploited, an unauthenticated remote host can cause a buffer overread of up to 255 bytes on the heap in vulnerable DTLS servers (Mbed Advisory).

Users are recommended to upgrade to Mbed TLS 3.2.0 or 2.28.1 depending on their current branch. Alternative workarounds include: setting a sufficiently large value of MBEDTLSSSLINCONTENTLEN above the threshold for the specific configuration, or disabling MBEDTLSSSLDTLSCLIENTPORT_REUSE (Mbed Advisory).