CVE-2020-36476 – This vulnerability in Mbed TLS allows sensitive... (How to Fix)

Q: What is the severity of CVE-2020-36476?

CVE-2020-36476 has a CVSS score of 7.5 (HIGH). This vulnerability in Mbed TLS allows sensitive application data to remain in memory after SSL/TLS sessions, potentially exposing it to attackers who can read process memory. It affects all systems using vulnerable versions of Mbed TLS for SSL/TLS operations. The issue specifically occurs in the mbedtls_ssl_read function where plaintext buffers aren't properly cleared.

📋 TL;DR

This vulnerability in Mbed TLS allows sensitive application data to remain in memory after SSL/TLS sessions, potentially exposing it to attackers who can read process memory. It affects all systems using vulnerable versions of Mbed TLS for SSL/TLS operations. The issue specifically occurs in the mbedtls_ssl_read function where plaintext buffers aren't properly cleared.

💻 Affected Systems

Products:

Mbed TLS
Applications using Mbed TLS library

Versions: All versions before 2.24.0, before 2.16.8 LTS, and before 2.7.17 LTS

Operating Systems: All operating systems using affected Mbed TLS versions

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any configuration using mbedtls_ssl_read function. Embedded systems and IoT devices using Mbed TLS are particularly affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with memory access could extract sensitive application data (passwords, session tokens, financial information) from running processes, leading to data breaches and credential theft.

🟠

Likely Case

Information disclosure where attackers with existing access to system memory could extract residual application data from SSL/TLS sessions.

🟢

If Mitigated

Minimal impact if proper memory isolation and access controls prevent unauthorized memory access.

🌐 Internet-Facing: MEDIUM - While exploitation requires memory access, internet-facing systems are more exposed to attackers who might gain such access through other vulnerabilities.

🏢 Internal Only: LOW - Internal systems typically have better access controls, but risk exists if attackers gain internal foothold.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to read process memory, typically through another vulnerability or privileged access. No public exploits have been documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.24.0, 2.16.8 LTS, or 2.7.17 LTS

Vendor Advisory: https://github.com/ARMmbed/mbedtls/releases

Restart Required: Yes

Instructions:

1. Identify Mbed TLS version in use. 2. Update to patched version: 2.24.0, 2.16.8 LTS, or 2.7.17 LTS. 3. Recompile applications using Mbed TLS. 4. Restart affected services.

🔧 Temporary Workarounds

Memory Protection Controls

all

Implement strict memory access controls and process isolation to prevent unauthorized memory reading

🧯 If You Can't Patch

Implement strict access controls to prevent unauthorized memory access
Isolate affected systems and limit exposure to untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check Mbed TLS version: ldd /path/to/application | grep mbedtls, then check version in library or application output

Check Version:

strings /usr/lib/libmbedtls.so | grep '^Version' or check application's version output

Verify Fix Applied:

Verify Mbed TLS version is 2.24.0+, 2.16.8 LTS+, or 2.7.17 LTS+

📡 Detection & Monitoring

Log Indicators:

Memory access violations
Unexpected process memory reads

Network Indicators:

Unusual outbound data transfers from affected systems

SIEM Query:

Process:MemoryAccess AND TargetProcess:(contains 'mbedtls' OR contains affected_application)

📊 Metadata

CVE ID: CVE-2020-36476

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-212

Published: August 23, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8 Release Notes,Third Party Advisory
https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0 Release Notes,Third Party Advisory
https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.17 Release Notes,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00021.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html Mailing List,Third Party Advisory
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8 Release Notes,Third Party Advisory
https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0 Release Notes,Third Party Advisory
https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.17 Release Notes,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00021.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36476, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Mbed Tls by Arm

Mbed Tls by Arm

Mbed Tls by Arm

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Memory Protection Controls

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities