Certificate Verification Issue in Mbed TLS by ARM
CVE-2020-36477

5.9MEDIUM

Key Information:

Vendor

Arm
Status
Mbed Tls
Vendor
CVE Published:
23 August 2021

What is CVE-2020-36477?

A security issue in Mbed TLS prior to version 2.24.0 compromises the verification of X.509 certificates. The vulnerability occurs when comparing expected names to actual certificate names while handling the subjectAltName extension. If the subjecAltName extension is utilized, the verification process incorrectly allows an attacker to impersonate a domain by manipulating the 4-byte or 16-byte representation tied to an IPv4 or IPv6 address. The attacker must control the relevant IP address to exploit this flaw.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0
https://github.com/ARMmbed/mbedtls/issues/3498
https://security.gentoo.org/glsa/202301-08
vendor-advisory

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.