Miggo Logo

CVE-2018-1000520: ARM mbedTLS version 2.7.0 and earlier contains a Ciphersuite Allows Incorrectly Signed...

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.29271%
Published
5/13/2022
Updated
2/1/2023
KEV Status
No
Technology
-

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided information mentions that the vulnerability is in mbedtls_ssl_get_verify_result() in ARM mbedTLS version 2.7.0 and earlier. However, without access to the specific commit or patch that addresses this vulnerability (CVE-2018-1000520), it is not possible to definitively identify the vulnerable functions and provide concrete evidence from the code changes. The GitHub issue (https://github.com/ARMmbed/mbedtls/issues/1561) describes the problem but does not link to a fixing commit. An attempt to fetch a commit URL (e9282950326f8a37c9311e11510390117001a993) failed with a 404 error. Therefore, due to the lack of patch information, I cannot confidently identify the vulnerable functions as per the task guidelines.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*RM m***TLS v*rsion *.*.* *n* **rli*r *ont*ins * *ip**rsuit* *llows In*orr**tly Si*n** **rti*i**t*s vuln*r**ility in m***tls_ssl_**t_v*ri*y_r*sult() t**t **n r*sult in ***S*-si*n** **rti*i**t*s *r* ****pt**, w**n only RS*-si*n** on*s s*oul* **.. T*is

Reasoning

T** provi*** in*orm*tion m*ntions t**t t** vuln*r**ility is in `m***tls_ssl_**t_v*ri*y_r*sult()` in *RM m***TLS v*rsion *.*.* *n* **rli*r. *ow*v*r, wit*out ****ss to t** sp**i*i* *ommit or p*t** t**t ***r*ss*s t*is vuln*r**ility (*V*-****-*******), i