Skip to main content

CVE-2024-23744: n/a in n/a

High
VulnerabilityCVE-2024-23744cvecve-2024-23744
Published: Sun Jan 21 2024 (01/21/2024, 00:00:00 UTC)
Source: CVE Database V5
Vendor/Project: n/a
Product: n/a

Description

An issue was discovered in Mbed TLS 3.5.1. There is persistent handshake denial if a client sends a TLS 1.3 ClientHello without extensions.

AI-Powered Analysis

AILast updated: 07/06/2025, 07:25:41 UTC

Technical Analysis

CVE-2024-23744 is a high-severity vulnerability identified in Mbed TLS version 3.5.1, a widely used open-source cryptographic library that provides SSL/TLS capabilities. The vulnerability arises when a client initiates a TLS 1.3 handshake by sending a ClientHello message that lacks any extensions. Under these conditions, the server running the affected Mbed TLS version experiences a persistent handshake denial, effectively causing a denial of service (DoS) condition. This flaw is categorized under CWE-400, which relates to uncontrolled resource consumption, indicating that the server's resources are exhausted or locked due to improper handling of such malformed handshake requests. The CVSS v3.1 score of 7.5 reflects a high severity, with the vector indicating that the attack can be executed remotely (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts availability (A:H) without affecting confidentiality or integrity. The vulnerability does not require authentication and can be triggered by any remote attacker capable of initiating a TLS 1.3 handshake with the vulnerable server. No known exploits are currently reported in the wild, and no patches or vendor-specific mitigations have been linked yet. This issue could lead to service disruption for applications relying on Mbed TLS 3.5.1 for secure communications, potentially impacting any network-facing service that accepts TLS 1.3 connections without proper validation of ClientHello extensions.

Potential Impact

For European organizations, the impact of CVE-2024-23744 could be significant, particularly for those using Mbed TLS 3.5.1 in critical infrastructure, web services, IoT devices, or embedded systems that rely on TLS 1.3 for secure communications. A persistent handshake denial can cause service outages or degraded performance, leading to availability issues. This can disrupt business operations, customer trust, and compliance with regulations such as GDPR, which mandates secure and reliable handling of personal data. Industries such as finance, healthcare, telecommunications, and government services in Europe, which often require high availability and secure communications, may face operational risks. Additionally, denial of service attacks exploiting this vulnerability could be used as a smokescreen for other malicious activities or to cause reputational damage. The lack of impact on confidentiality and integrity means data breaches are unlikely directly from this vulnerability, but the availability impact alone can have cascading effects on business continuity and incident response capabilities.

Mitigation Recommendations

To mitigate CVE-2024-23744, European organizations should first identify all systems and devices using Mbed TLS version 3.5.1. Immediate steps include: 1) Applying any available patches or updates from the Mbed TLS project once released; 2) If patches are not yet available, consider temporarily disabling TLS 1.3 support or enforcing strict validation of ClientHello messages to reject those without extensions; 3) Implement network-level protections such as rate limiting, anomaly detection, and filtering to block or throttle suspicious TLS handshake attempts that lack extensions; 4) Monitor logs and network traffic for unusual handshake patterns indicative of exploitation attempts; 5) For embedded or IoT devices where patching is difficult, consider network segmentation and limiting exposure to untrusted networks; 6) Engage with vendors or maintainers of products embedding Mbed TLS to ensure timely updates; 7) Incorporate this vulnerability into incident response plans to quickly identify and respond to denial of service conditions related to TLS handshakes.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2024-01-21T00:00:00.000Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68406659182aa0cae2b37adf

Added to database: 6/4/2025, 3:29:29 PM

Last enriched: 7/6/2025, 7:25:41 AM

Last updated: 8/14/2025, 3:40:48 PM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats