Bug 1189740 (CVE-2020-36477)

Summary: VUL-0: CVE-2020-36477: mbedtls: The verification of X.509 certificates when matching the expected common name with the actual certificate name is mishandled
Product: [openSUSE] openSUSE Distribution Reporter: Robert Frohl <rfrohl>
Component: SecurityAssignee: Martin Pluskal <mpluskal>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium    
Version: Leap 15.2   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/307804/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2021-08-24 08:41:28 UTC
CVE-2020-36477

An issue was discovered in Mbed TLS before 2.24.0. The verification of X.509
certificates when matching the expected common name (the cn argument of
mbedtls_x509_crt_verify) with the actual certificate name is mishandled: when
the subjecAltName extension is present, the expected name is compared to any
name in that extension regardless of its type. This means that an attacker could
impersonate a 4-byte or 16-byte domain by getting a certificate for the
corresponding IPv4 or IPv6 address (this would require the attacker to control
that IP address, though).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36477
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36477
https://github.com/ARMmbed/mbedtls/issues/3498
https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0
http://www.cvedetails.com/cve/CVE-2020-36477/
Comment 1 Robert Frohl 2021-08-24 08:44:03 UTC
fixed in factory, not sure if relevant for Leap