CVE-2020-36478Improper Certificate Validation in ARM Mbed TLS

CWE-295Improper Certificate Validation7 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.5%
top 33.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Mbed MbedtlsARM Mbed TLSSiemens Logo ! Cmr2020 Firmware+2 more
Timeline
PublishedAug 23
Latest updateMay 24

Description

An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). A NULL algorithm parameters entry looks identical to an array of REAL (size zero) and thus the certificate is considered valid. However, if the parameters do not match in any way, then the certificate should be considered invalid.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

NVDarm/mbed_tls2.8.02.16.9+2
Debianmbed/mbedtls< 2.16.9-0.1+3

Also affects: Debian Linux 10.0, 9.0

Patches

Patch: cert-portal.siemens.comPatch: cert-portal.siemens.com

🔴Vulnerability Details

3
GHSA
GHSA-8xrj-2854-7x44: An issue was discovered in Mbed TLS before 22022-05-24
CVEList
CVE-2020-36478: An issue was discovered in Mbed TLS before 22021-08-23
OSV
CVE-2020-36478: An issue was discovered in Mbed TLS before 22021-08-23

📋Vendor Advisories

3
CISA ICS
Siemens LOGO! CMR and SIMATIC RTU 30002021-09-14
Microsoft
An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). A NULL algorithm parameters entry looks identical to an array of REAL (size zero) and thus the certific2021-08-10
Debian
CVE-2020-36478: mbedtls - An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and bef...2020
CVE-2020-36478 — Improper Certificate Validation in ARM | cvebase