N/A

An issue was discovered in Mbed TLS before 2.24.0. The verification of X.509 certificates when matching the expected common name (the cn argument of mbedtls_x509_crt_verify) with the actual certificate name is mishandled: when the subjecAltName extension is present, the expected name is compared to any name in that extension regardless of its type. This means that an attacker could impersonate a 4-byte or 16-byte domain by getting a certificate for the corresponding IPv4 or IPv6 address (this would require the attacker to control that IP address, though).

N/A

N/A

ARM mbed TLS 信任管理问题漏洞

ARM mbed TLS是英国ARM公司的一款为mbed产品提供安全通讯和加密功能的产品。 ARM mbed TLS 2.24.0之前版本存在安全漏洞，该漏洞源于将预期的公共名称与实际的证书名称匹配时，对X.509证书的验证处理错误，当SubjectCaltName扩展存在时，预期名称将与该扩展中的任何名称进行比较，而不管其类型如何。这意味着攻击者可以通过获取相应IPv4或IPv6地址的证书来模拟4字节或16字节域。

N/A

N/A