CVE-2024-28836 affects Mbed TLS versions 3.5.x prior to 3.6.0 and involves a flaw in the server-side TLS version negotiation logic. When a server is configured to support only TLS 1.3 by disabling TLS 1.2 at build time, the negotiation process can mistakenly fallback to the TLS 1.2 implementation if it receives a TLS 1.2 ClientHello message. Since the TLS 1.2 code is disabled, the server enters an infinite loop attempting to process the TLS 1.2 handshake, causing a denial of service (DoS). This infinite loop can be triggered remotely by any TLS 1.2 client connecting to the server, without requiring user interaction but with low privileges (network access). Alternatively, if TLS 1.2 is disabled at runtime rather than build time, a TLS 1.2 client can still successfully establish a TLS 1.2 connection, which may violate security policies that intend to restrict connections to TLS 1.3 only. The vulnerability arises from improper handling of protocol fallback and version negotiation logic in the Mbed TLS library. No known exploits have been reported, but the flaw can be leveraged to disrupt services relying on Mbed TLS for secure communications. The issue was publicly disclosed in April 2024 and has a CVSS v3.1 base score of 5.4, reflecting moderate severity due to the denial of service impact and ease of exploitation over the network.

The primary impact of CVE-2024-28836 is denial of service against servers using vulnerable Mbed TLS versions configured to disable TLS 1.2 at build time but still accepting TLS 1.2 ClientHello messages. Attackers can remotely cause the server to enter an infinite processing loop, rendering the service unavailable to legitimate users. This can disrupt critical services that rely on Mbed TLS for TLS 1.3-only secure communications, including IoT devices, embedded systems, and network appliances. Additionally, if TLS 1.2 is disabled only at runtime, the server may unintentionally allow TLS 1.2 connections, potentially weakening security by permitting older protocol versions that are less secure. Organizations worldwide using Mbed TLS in their products or infrastructure may face service outages or policy violations. While no data confidentiality or integrity loss is directly caused, the availability impact can affect business continuity, user trust, and compliance with security standards requiring modern TLS versions.

To mitigate CVE-2024-28836, organizations should upgrade Mbed TLS to version 3.6.0 or later, where the vulnerability is fixed. If upgrading immediately is not feasible, consider the following specific measures: 1) Avoid disabling TLS 1.2 at build time if TLS 1.2 clients are expected, or ensure proper handling of ClientHello messages to prevent infinite loops. 2) Implement network-level filtering to block TLS 1.2 ClientHello messages from untrusted sources to reduce attack surface. 3) Monitor server logs for repeated TLS 1.2 handshake attempts that may indicate exploitation attempts. 4) Test TLS configurations thoroughly to confirm that disabling TLS 1.2 does not allow fallback or unintended connections. 5) For embedded or IoT devices using Mbed TLS, coordinate with vendors for firmware updates addressing this issue. 6) Employ rate limiting and DoS protection mechanisms at the network perimeter to mitigate potential impact from repeated handshake attempts. These targeted steps go beyond generic TLS hardening by addressing the specific negotiation flaw and its operational context.