CVE-2020-36423 — Cleartext Transmission of Sensitive Info in ARM Mbed TLS

CWE-319 — Cleartext Transmission of Sensitive Info6 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.7%

top 28.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mbed Mbedtls ARM Mbed TLS Debian Linux

Timeline

PublishedJul 19

Latest updateMay 13

Description

An issue was discovered in Arm Mbed TLS before 2.23.0. A remote attacker can recover plaintext because a certain Lucky 13 countermeasure doesn't properly consider the case of a hardware accelerator.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDarm/mbed_tls2.17.0 — 2.23.0+1

▶Debianmbed/mbedtls< 2.16.9-0.1+3

Also affects: Debian Linux 10.0

Patches

Patch: bugs.gentoo.org ↗Patch: bugs.gentoo.org ↗

🔴Vulnerability Details

GHSA

GHSA-x2rg-rvm2-p2f9: An issue was discovered in Arm Mbed TLS before 2↗2022-05-24

▶

CVEList

CVE-2020-36423: An issue was discovered in Arm Mbed TLS before 2↗2021-07-19

▶

OSV

CVE-2020-36423: An issue was discovered in Arm Mbed TLS before 2↗2021-07-19

▶

📋Vendor Advisories

Debian

CVE-2020-36423: mbedtls - An issue was discovered in Arm Mbed TLS before 2.23.0. A remote attacker can rec...↗2020

▶

📄Research Papers

arXiv

SoK: Where's the "up"?! A Comprehensive (bottom-up) Study on the Security of Arm Cortex-M Systems↗2024-05-13

▶