Zephyr TLS Socket Protocol Negotiation Vulnerability Allowing Downgrade to TLS 1.2

A vulnerability exists in Zephyr sockets using 'IPPROTO_TLS_1_3' that allows negotiation of a TLS 1.2 connection when both TLS versions are enabled in the Kconfig. This occurs because the socket-level protocol selection is not properly communicated to mbedTLS, leading to potential exposure to TLS 1.2-specific vulnerabilities. The issue affects Zephyr versions through 4.3.

Impact

This vulnerability could lead to unintended use of TLS 1.2, which, while not fundamentally broken, could expose applications to specific attacks under certain conditions.

Reproduction

The vulnerability can be reproduced on the native_sim board using Zephyr version 4.3 or earlier. After generating the necessary keys and certificates for a TLS 1.2 server, the Zephyr application can be built and run. Wireshark can be used to observe the negotiation process, which will show that the socket offers both TLS 1.2 and 1.3, but can silently default to TLS 1.2.

Remediation

As a workaround, the 'TLS_CIPHERSUITE_LIST' socket option can be set to allow only TLS 1.3 cipher suites.