CVE-2020-36477

Name of the Vulnerable Software and Affected Versions Mbed TLS versions prior to 2.24.0

Description An issue in the verification of X.509 certificates allows an attacker to impersonate a domain by getting a certificate for the corresponding IPv4 or IPv6 address, provided they control that IP address. The problem arises when the subjectAltName extension is present, and the expected name is compared to any name in that extension regardless of its type.

Recommendations For versions prior to 2.24.0, update to version 2.24.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the mbedtls x509 crt verify function until a patch is available. Avoid using the cn argument of mbedtls x509 crt verify with certificates that have a subjectAltName extension until the issue is resolved.