Bug 1189740 - (CVE-2020-36477) VUL-0: CVE-2020-36477: mbedtls: The verification of X.509 certificates when matching the expected common name with the actual certificate name is mishandled
(CVE-2020-36477)
VUL-0: CVE-2020-36477: mbedtls: The verification of X.509 certificates when m...
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.2
Other Other
: P3 - Medium : Minor (vote)
: ---
Assigned To: Martin Pluskal
Security Team bot
https://smash.suse.de/issue/307804/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-08-24 08:41 UTC by Robert Frohl
Modified: 2021-08-24 09:15 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-08-24 08:41:28 UTC
CVE-2020-36477

An issue was discovered in Mbed TLS before 2.24.0. The verification of X.509
certificates when matching the expected common name (the cn argument of
mbedtls_x509_crt_verify) with the actual certificate name is mishandled: when
the subjecAltName extension is present, the expected name is compared to any
name in that extension regardless of its type. This means that an attacker could
impersonate a 4-byte or 16-byte domain by getting a certificate for the
corresponding IPv4 or IPv6 address (this would require the attacker to control
that IP address, though).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36477
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36477
https://github.com/ARMmbed/mbedtls/issues/3498
https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0
http://www.cvedetails.com/cve/CVE-2020-36477/
Comment 1 Robert Frohl 2021-08-24 08:44:03 UTC
fixed in factory, not sure if relevant for Leap