CVE-2023-52353: 
Mbed TLS vulnerability analysis and mitigation

A vulnerability was identified in Mbed TLS through version 3.5.1, tracked as CVE-2023-52353. The issue lies in the mbedtls_ssl_session_reset function where the maximum negotiable TLS version is incorrectly handled. The vulnerability was discovered and disclosed on January 21, 2024, affecting all versions of Mbed TLS up to 3.5.1 (NVD, MITRE).

The vulnerability stems from a logic flaw in the mbedtls_ssl_session_reset function where if a connection previously negotiated TLS 1.2, that version becomes the new maximum for subsequent connections. This has been assigned a CVSS v3.1 base score of 7.5 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The vulnerability can prevent an Mbed TLS server from establishing TLS 1.3 connections after a TLS 1.2 connection has been made, potentially resulting in a forced version downgrade from TLS 1.3 to TLS 1.2. This affects the integrity of the communication channel while confidentiality and availability remain unaffected (NVD).

The vulnerability has been addressed in newer versions of Mbed TLS. Organizations using affected versions should upgrade to a patched version. For Debian systems, fixed versions are available in bullseye (2.16.9-0.1), bookworm (2.28.3-1), and sid/trixie (3.6.2-3) (Debian Tracker).