Certificate Verification Issue in Mbed TLS by ARM
CVE-2020-36477

5.9MEDIUM

Key Information:

Vendor: Arm
Status: Mbed Tls
Vendor: CVE Published:; 23 August 2021

Summary

A security issue in Mbed TLS prior to version 2.24.0 compromises the verification of X.509 certificates. The vulnerability occurs when comparing expected names to actual certificate names while handling the subjectAltName extension. If the subjecAltName extension is utilized, the verification process incorrectly allows an attacker to impersonate a domain by manipulating the 4-byte or 16-byte representation tied to an IPv4 or IPv6 address. The attacker must control the relevant IP address to exploit this flaw.

References

https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0

https://github.com/ARMmbed/mbedtls/issues/3498

https://security.gentoo.org/glsa/202301-08

vendor-advisory

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 23, 2021
Vulnerability Reserved
Aug 23, 2021