CVE-2020-36475 : What You Need to Know

An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). The calculations performed by mbedtls_mpi_exp_mod are not limited, potentially leading to denial of service when generating Diffie-Hellman key pairs.

Understanding CVE-2020-36475

This CVE highlights a vulnerability in Mbed TLS versions prior to 2.25.0, where certain calculations are not restricted, posing a risk of denial of service.

What is CVE-2020-36475?

CVE-2020-36475 is a vulnerability in Mbed TLS that allows for denial of service due to unrestricted calculations in mbedtls_mpi_exp_mod.

The Impact of CVE-2020-36475

The vulnerability could be exploited to disrupt the generation of Diffie-Hellman key pairs, potentially affecting the security and functionality of systems using Mbed TLS.

Technical Details of CVE-2020-36475

Vulnerability Description

The issue arises from the lack of limitations on calculations in mbedtls_mpi_exp_mod, which can be abused by supplying excessively large parameters.

Affected Systems and Versions

Vendor: n/a
Product: n/a
Affected Versions: All versions before 2.25.0, 2.16.9 LTS, and 2.7.18 LTS

Exploitation Mechanism

Attackers can exploit this vulnerability by providing oversized parameters, causing the system to perform unbounded calculations and potentially leading to a denial of service.

Mitigation and Prevention

Immediate Steps to Take

Update Mbed TLS to version 2.25.0 or later to mitigate the vulnerability.
Monitor for any unusual activity that could indicate exploitation of the vulnerability.

Long-Term Security Practices

Regularly update software and libraries to the latest versions to address known vulnerabilities.
Implement network security measures to detect and prevent unauthorized access.

Patching and Updates

Apply patches provided by Mbed TLS to fix the vulnerability and enhance the security of the system.