Details of VAR-202006-0088

ID

VAR-202006-0088

CVE

CVE-2020-12885

TITLE

Arm Mbed OS Infinite loop vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-007009

DESCRIPTION

An infinite loop was discovered in the CoAP library in Arm Mbed OS 5.15.3. The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse_multiple_options() parses CoAP options in a while loop. This loop's exit condition is computed using the previously allocated heap memory required for storing the result of parsing multiple options. If the input heap memory calculation results in zero bytes, the loop exit condition is never met and the loop is not terminated. As a result, the packet parsing function never exits, leading to resource consumption. ARM Mbed OS is a set of open source embedded operating system dedicated to the Internet of Things of the British ARM company. CoAP library is one of the Constrained Application Protocol (CoAP) libraries. Attackers can use this vulnerability to create an infinite loop

Trust: 2.7

sources: NVD: CVE-2020-12885 // JVNDB: JVNDB-2020-007009 // CNVD: CNVD-2021-20268 // CNNVD: CNNVD-202006-1278

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-20268

AFFECTED PRODUCTS

vendor:

arm

model:

mbed os

scope:

version:

5.15.3

Trust: 2.4

sources: CNVD: CNVD-2021-20268 // JVNDB: JVNDB-2020-007009 // NVD: CVE-2020-12885

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-12885
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2020-007009
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2021-20268
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202006-1278
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2020-12885
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-007009
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2021-20268
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-12885
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-007009
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-20268 // JVNDB: JVNDB-2020-007009 // CNNVD: CNNVD-202006-1278 // NVD: CVE-2020-12885

PROBLEMTYPE DATA

problemtype:

CWE-835

Trust: 1.8

sources: JVNDB: JVNDB-2020-007009 // NVD: CVE-2020-12885

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-1278

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202006-1278

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-007009

PATCH

title:	Bugfix/coap parser mem access bugs #116	url:	https://github.com/ARMmbed/mbed-coap/pull/116	Trust: 0.8
title:	Infinite loop in MbedOS CoAP library parser #12929	url:	https://github.com/ARMmbed/mbed-os/issues/12929	Trust: 0.8
title:	Patch for Arm Mbed OS Denial of Service Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/253726	Trust: 0.6
title:	ARM Mbed OS Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=122587	Trust: 0.6

sources: CNVD: CNVD-2021-20268 // JVNDB: JVNDB-2020-007009 // CNNVD: CNNVD-202006-1278

EXTERNAL IDS

db:	NVD	id:	CVE-2020-12885	Trust: 3.0
db:	JVNDB	id:	JVNDB-2020-007009	Trust: 0.8
db:	CNVD	id:	CNVD-2021-20268	Trust: 0.6
db:	CNNVD	id:	CNNVD-202006-1278	Trust: 0.6

sources: CNVD: CNVD-2021-20268 // JVNDB: JVNDB-2020-007009 // CNNVD: CNNVD-202006-1278 // NVD: CVE-2020-12885

REFERENCES

url:	https://github.com/armmbed/mbed-coap/pull/116	Trust: 1.6
url:	https://github.com/armmbed/mbed-os/issues/12929	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-12885	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-12885	Trust: 0.8

sources: JVNDB: JVNDB-2020-007009 // CNNVD: CNNVD-202006-1278 // NVD: CVE-2020-12885

SOURCES

db:	CNVD	id:	CNVD-2021-20268
db:	JVNDB	id:	JVNDB-2020-007009
db:	CNNVD	id:	CNNVD-202006-1278
db:	NVD	id:	CVE-2020-12885

LAST UPDATE DATE

2024-11-23T22:47:59.521000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-20268	date:	2021-03-23T00:00:00
db:	JVNDB	id:	JVNDB-2020-007009	date:	2020-07-29T00:00:00
db:	CNNVD	id:	CNNVD-202006-1278	date:	2020-06-30T00:00:00
db:	NVD	id:	CVE-2020-12885	date:	2024-11-21T05:00:29.437

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-20268	date:	2021-03-18T00:00:00
db:	JVNDB	id:	JVNDB-2020-007009	date:	2020-07-29T00:00:00
db:	CNNVD	id:	CNNVD-202006-1278	date:	2020-06-18T00:00:00
db:	NVD	id:	CVE-2020-12885	date:	2020-06-18T19:15:10.050