CVE-2020-36478
First published: Mon Aug 23 2021(Updated: )
An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). A NULL algorithm parameters entry looks identical to an array of REAL (size zero) and thus the certificate is considered valid. However, if the parameters do not match in any way, then the certificate should be considered invalid.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ARM mbed TLS | <2.7.18 | |
| ARM mbed TLS | >=2.8.0<2.16.9 | |
| ARM mbed TLS | >=2.17.0<2.25.0 | |
| Siemens Logo\! Cmr2020 Firmware | <2.2 | |
| Siemens Logo\! Cmr2020 | ||
| Siemens Logo\! Cmr2040 Firmware | <2.2 | |
| Siemens Logo\! Cmr2040 | ||
| Siemens Simatic Rtu3031c Firmware | ||
| Siemens Simatic Rtu3031c | ||
| Siemens Simatic Rtu3041c Firmware | ||
| Siemens Simatic Rtu3041c | ||
| Siemens Simatic Rtu3030c Firmware | ||
| Siemens Simatic Rtu3030c | ||
| Siemens Simatic Rtu3000c Firmware | ||
| Siemens Simatic Rtu3000c | ||
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://cert-portal.siemens.com/productcert/pdf/ssa-756638.pdf
- https://github.com/ARMmbed/mbedtls/issues/3629
- https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.9
- https://github.com/ARMmbed/mbedtls/releases/tag/v2.25.0
- https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.18
- https://lists.debian.org/debian-lts-announce/2021/11/msg00021.html
- https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html
Frequently Asked Questions
What is CVE-2020-36478?
CVE-2020-36478 is a vulnerability in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS) that allows a NULL algorithm parameters entry to be considered valid.
How does CVE-2020-36478 affect ARM mbed TLS?
CVE-2020-36478 affects ARM mbed TLS versions before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS) by allowing a NULL algorithm parameters entry to be considered valid.
Is Siemens Logo! CMR2020 Firmware affected by CVE-2020-36478?
Siemens Logo! CMR2020 Firmware versions up to 2.2 are affected by CVE-2020-36478.
How can I fix CVE-2020-36478?
To fix CVE-2020-36478, update to Mbed TLS version 2.25.0 or later (or versions 2.16.9 LTS and 2.7.18 LTS if available).
What is the severity of CVE-2020-36478?
CVE-2020-36478 has a severity rating of 7.5 (high).
- collector/nvd-index
- agent/weakness
- agent/tags
- agent/event
- agent/references
- agent/severity
- agent/author
- agent/description
- agent/type
- agent/remedy
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- vendor/arm
- canonical/arm mbed tls
- version/arm mbed tls/2.8.0
- version/arm mbed tls/2.17.0
- vendor/siemens
- canonical/siemens logo\! cmr2020 firmware
- canonical/siemens logo\! cmr2020
- canonical/siemens logo\! cmr2040 firmware
- canonical/siemens logo\! cmr2040
- canonical/siemens simatic rtu3031c firmware
- canonical/siemens simatic rtu3031c
- canonical/siemens simatic rtu3041c firmware
- canonical/siemens simatic rtu3041c
- canonical/siemens simatic rtu3030c firmware
- canonical/siemens simatic rtu3030c
- canonical/siemens simatic rtu3000c firmware
- canonical/siemens simatic rtu3000c
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0