CVE-2020-36477

EUVD-2020-23963
An issue was discovered in Mbed TLS before 2.24.0. The verification of X.509 certificates when matching the expected common name (the cn argument of mbedtls_x509_crt_verify) with the actual certificate name is mishandled: when the subjecAltName extension is present, the expected name is compared to any name in that extension regardless of its type. This means that an attacker could impersonate a 4-byte or 16-byte domain by getting a certificate for the corresponding IPv4 or IPv6 address (this would require the attacker to control that IP address, though).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 32%
Affected Products (NVD)
VendorProductVersion
armmbed_tls
𝑥
< 2.24.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
mbedtls
bookworm
2.28.3-1
fixed
bullseye
2.16.9-0.1
not-affected
buster
not-affected
sid
3.6.2-1
fixed
stretch
not-affected
trixie
2.28.8-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mbedtls
bionic
needs-triage
focal
needs-triage
hirsute
ignored
impish
ignored
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
trusty
dne
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/ARMmbed/mbedtls/issues/3498
https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0
https://security.gentoo.org/glsa/202301-08
https://github.com/ARMmbed/mbedtls/issues/3498
https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0
https://security.gentoo.org/glsa/202301-08