CVE-2024-23744: 
Mbed TLS vulnerability analysis and mitigation

An issue was discovered in Mbed TLS 3.5.1, identified as CVE-2024-23744, which was reported on January 21, 2024. The vulnerability affects the TLS handshake process when a client sends a TLS 1.3 ClientHello message without extensions (MITRE CVE, NVD).

The vulnerability specifically affects the TLS 1.3 handshake process in Mbed TLS 3.5.1. When a client initiates a connection with a TLS 1.3 ClientHello message that lacks extensions, it results in a persistent handshake denial. The vulnerability has been assigned a CVSS 3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network attack vector, low complexity, and high impact on availability (Ubuntu Security).

The primary impact of this vulnerability is on service availability. When exploited, it causes a persistent denial of handshake operations, preventing legitimate TLS 1.3 connections from being established. The CVSS scoring indicates no impact on confidentiality or integrity, but a high impact on availability (Ubuntu Security).

According to the Debian security tracker, the vulnerability has been fixed in several versions: 2.16.9-0.1 for bullseye, 2.28.3-1 for bookworm, and 3.6.2-3 for sid and trixie. It's worth noting that Mbed TLS 2.x versions are not affected by this vulnerability (Debian Tracker).