CVE-2020-36475
First published: Mon Aug 23 2021(Updated: )
An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). The calculations performed by mbedtls_mpi_exp_mod are not limited; thus, supplying overly large parameters could lead to denial of service when generating Diffie-Hellman key pairs.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ARM mbed TLS | <2.7.18 | |
| ARM mbed TLS | >=2.8.0<2.16.9 | |
| ARM mbed TLS | >=2.17.0<2.25.0 | |
| Siemens Logo\! Cmr2020 Firmware | <2.2 | |
| Siemens Logo\! Cmr2020 | ||
| Siemens Logo\! Cmr2040 Firmware | <2.2 | |
| Siemens Logo\! Cmr2040 | ||
| Siemens Simatic Rtu3031c Firmware | ||
| Siemens Simatic Rtu3031c | ||
| Siemens Simatic Rtu3041c Firmware | ||
| Siemens Simatic Rtu3041c | ||
| Siemens Simatic Rtu3030c Firmware | ||
| Siemens Simatic Rtu3030c | ||
| Siemens Simatic Rtu3000c Firmware | ||
| Siemens Simatic Rtu3000c | ||
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://cert-portal.siemens.com/productcert/pdf/ssa-756638.pdf
- https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.9
- https://github.com/ARMmbed/mbedtls/releases/tag/v2.25.0
- https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.18
- https://lists.debian.org/debian-lts-announce/2021/11/msg00021.html
- https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html
Frequently Asked Questions
What is the vulnerability ID of this issue?
The vulnerability ID of this issue is CVE-2020-36475.
What is the severity of CVE-2020-36475?
The severity of CVE-2020-36475 is high with a severity value of 7.5.
Which software versions are affected by CVE-2020-36475?
CVE-2020-36475 affects Mbed TLS versions before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS).
What is the impact of CVE-2020-36475?
CVE-2020-36475 could lead to denial of service when generating Diffie-Hellman key pairs.
How can I fix CVE-2020-36475?
To fix CVE-2020-36475, update to Mbed TLS version 2.25.0 (or version 2.16.9 LTS or 2.7.18 LTS) or later.
- collector/nvd-index
- agent/severity
- agent/references
- agent/weakness
- agent/author
- agent/tags
- agent/type
- agent/event
- agent/description
- agent/last-modified-date
- agent/remedy
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/arm
- canonical/arm mbed tls
- version/arm mbed tls/2.8.0
- version/arm mbed tls/2.17.0
- vendor/siemens
- canonical/siemens logo\! cmr2020 firmware
- canonical/siemens logo\! cmr2020
- canonical/siemens logo\! cmr2040 firmware
- canonical/siemens logo\! cmr2040
- canonical/siemens simatic rtu3031c firmware
- canonical/siemens simatic rtu3031c
- canonical/siemens simatic rtu3041c firmware
- canonical/siemens simatic rtu3041c
- canonical/siemens simatic rtu3030c firmware
- canonical/siemens simatic rtu3030c
- canonical/siemens simatic rtu3000c firmware
- canonical/siemens simatic rtu3000c
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0