ID
VAR-202006-0087
CVE
CVE-2020-12884
TITLE
Arm Mbed OS Out-of-bounds read vulnerability in
Trust: 0.8
DESCRIPTION
A buffer over-read was discovered in the CoAP library in Arm Mbed OS 5.15.3. The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse_multiple_options() parses CoAP options that may occur multiple consecutive times in a single packet. While processing the options, packet_data_pptr is accessed after being incremented by option_len without a prior out-of-bounds memory check. The temp_parsed_uri_query_ptr is validated for a correct range, but the range valid for temp_parsed_uri_query_ptr is derived from the amount of allocated heap memory, not the actual input size. Therefore the check of temp_parsed_uri_query_ptr may be insufficient for safe access to the area pointed to by packet_data_pptr. As a result, access to a memory area outside of the intended boundary of the packet buffer is made. Arm Mbed OS Exists in an out-of-bounds read vulnerability.Information is obtained and service operation is interrupted (DoS) It may be put into a state. ARM Mbed OS is a set of open source embedded operating system dedicated to the Internet of Things of the British ARM company. CoAP library is one of the Constrained Application Protocol (CoAP) libraries. An attacker can use this vulnerability to consume all available resources and cause a denial of service
Trust: 2.7
IOT TAXONOMY
| category: | ['IoT'] | sub_category: | - | Trust: 0.6 |
AFFECTED PRODUCTS
| vendor: | arm | model: | mbed os | scope: | eq | version: | 5.15.3 | Trust: 2.4 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-125 | Trust: 1.8 |
THREAT TYPE
remote
Trust: 0.6
TYPE
buffer error
Trust: 0.6
CONFIGURATIONS
PATCH
| title: | Bugfix/coap parser mem access bugs #116 | url: | https://github.com/ARMmbed/mbed-coap/pull/116 | Trust: 0.8 |
| title: | Out of range memory access in MbedOS CoAP library parser - sn_coap_parser_options_parse_multiple_options #12928 | url: | https://github.com/ARMmbed/mbed-os/issues/12928 | Trust: 0.8 |
| title: | Patch for ARM Mbed OS CoAP library buffer overflow vulnerability (CNVD-2021-20267) | url: | https://www.cnvd.org.cn/patchInfo/show/253721 | Trust: 0.6 |
EXTERNAL IDS
| db: | NVD | id: | CVE-2020-12884 | Trust: 3.0 |
| db: | JVNDB | id: | JVNDB-2020-007008 | Trust: 0.8 |
| db: | CNVD | id: | CNVD-2021-20267 | Trust: 0.6 |
| db: | CNNVD | id: | CNNVD-202006-1277 | Trust: 0.6 |
REFERENCES
| url: | https://github.com/armmbed/mbed-os/issues/12928 | Trust: 1.6 |
| url: | https://github.com/armmbed/mbed-coap/pull/116 | Trust: 1.6 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2020-12884 | Trust: 1.4 |
| url: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-12884 | Trust: 0.8 |
SOURCES
| db: | CNVD | id: | CNVD-2021-20267 |
| db: | JVNDB | id: | JVNDB-2020-007008 |
| db: | CNNVD | id: | CNNVD-202006-1277 |
| db: | NVD | id: | CVE-2020-12884 |
LAST UPDATE DATE
2024-11-23T22:37:23.070000+00:00
SOURCES UPDATE DATE
| db: | CNVD | id: | CNVD-2021-20267 | date: | 2021-03-23T00:00:00 |
| db: | JVNDB | id: | JVNDB-2020-007008 | date: | 2020-07-29T00:00:00 |
| db: | CNNVD | id: | CNNVD-202006-1277 | date: | 2020-07-02T00:00:00 |
| db: | NVD | id: | CVE-2020-12884 | date: | 2024-11-21T05:00:29.287 |
SOURCES RELEASE DATE
| db: | CNVD | id: | CNVD-2021-20267 | date: | 2021-03-18T00:00:00 |
| db: | JVNDB | id: | JVNDB-2020-007008 | date: | 2020-07-29T00:00:00 |
| db: | CNNVD | id: | CNNVD-202006-1277 | date: | 2020-06-18T00:00:00 |
| db: | NVD | id: | CVE-2020-12884 | date: | 2020-06-18T19:15:09.973 |