Mbed TLS Client Impersonation Vulnerability in TLS 1.3 Session Resumption

A client impersonation vulnerability has been identified in Mbed TLS versions 3.5.0 prior to 3.6.6 and 4.0.0. The issue arises when a server capable of both TLS 1.2 and TLS 1.3 is requested to resume a TLS 1.3 session using a ticket. If the server responds with a HelloRetryRequest and the subsequent ClientHello negotiates TLS 1.2, the server incorrectly resumes a TLS 1.2 session using an all-zero master secret. This flaw allows a man-in-the-middle attacker to intercept the HelloRetryRequest and complete the handshake as if they were a legitimate client, potentially bypassing authentication mechanisms and inheriting application-level privileges encoded in the session ticket.

Impact

Exploitation of this vulnerability can lead to unauthorized client impersonation, allowing an attacker to bypass authentication and, if applicable, gain access to privileges associated with the impersonated client.

Remediation

Users of Mbed TLS 3.6 LTS should upgrade to 3.6.6 or later. Users of the 4.x series should upgrade to 4.1.0 or later.