CVE-2020-36475

moderate-risk
Published 2021-08-23

An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). The calculations performed by mbedtls_mpi_exp_mod are not limited; thus, supplying overly large parameters could lead to denial of service when generating Diffie-Hellman key pairs.

Do I need to act?

-
0.98% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (9)

Logo\! Cmr2020 Firmware
Logo\! Cmr2040 Firmware
Simatic Rtu3031C Firmware
Simatic Rtu3041C Firmware
Simatic Rtu3030C Firmware
Simatic Rtu3000C Firmware

Affected Vendors

Debian Siemens Arm

References (12)

Patch https://cert-portal.siemens.com/productcert/pdf/ssa-756638.pdf
Release Notes https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.9
Release Notes https://github.com/ARMmbed/mbedtls/releases/tag/v2.25.0
Release Notes https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.18
Mailing List https://lists.debian.org/debian-lts-announce/2021/11/msg00021.html
Mailing List https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html
Patch https://cert-portal.siemens.com/productcert/pdf/ssa-756638.pdf
Release Notes https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.9
Release Notes https://github.com/ARMmbed/mbedtls/releases/tag/v2.25.0
Release Notes https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.18
Mailing List https://lists.debian.org/debian-lts-announce/2021/11/msg00021.html
Mailing List https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html
44
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 3/34 · Minimal
Exposure 15/34 · Moderate