Details of VAR-202006-0089

ID

VAR-202006-0089

CVE

CVE-2020-12886

TITLE

Arm Mbed OS Out-of-bounds read vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-007010

DESCRIPTION

A buffer over-read was discovered in the CoAP library in Arm Mbed OS 5.15.3. The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse() parses the CoAP packet header starting from the message token. The length of the token in the received message is provided in the first byte parsed by the sn_coap_parser_options_parse() function. The length encoded in the message is not validated against the actual input buffer length before accessing the token. As a result, memory access outside of the intended boundary of the buffer may occur. Arm Mbed OS Exists in an out-of-bounds read vulnerability.Information is obtained and service operation is interrupted (DoS) It may be put into a state. ARM Mbed OS is a set of open source embedded operating system dedicated to the Internet of Things of the British ARM company. CoAP library is one of the Constrained Application Protocol (CoAP) libraries. An attacker can use the malformed CoAP packet to exploit the vulnerability to obtain sensitive information or cause denial of service

Trust: 2.7

sources: NVD: CVE-2020-12886 // JVNDB: JVNDB-2020-007010 // CNVD: CNVD-2021-20269 // CNNVD: CNNVD-202006-1279

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-20269

AFFECTED PRODUCTS

vendor:

arm

model:

mbed os

scope:

version:

5.15.3

Trust: 2.4

sources: CNVD: CNVD-2021-20269 // JVNDB: JVNDB-2020-007010 // NVD: CVE-2020-12886

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-12886
value:	CRITICAL
Trust: 1.0
NVD:	JVNDB-2020-007010
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2021-20269
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202006-1279
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2020-12886
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-007010
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2021-20269
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-12886
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.2
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-007010
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-20269 // JVNDB: JVNDB-2020-007010 // CNNVD: CNNVD-202006-1279 // NVD: CVE-2020-12886

PROBLEMTYPE DATA

problemtype:

CWE-125

Trust: 1.8

sources: JVNDB: JVNDB-2020-007010 // NVD: CVE-2020-12886

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-1279

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202006-1279

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-007010

PATCH

title:	Bugfix/coap parser mem access bugs #116	url:	https://github.com/ARMmbed/mbed-coap/pull/116	Trust: 0.8
title:	Out of range memory access in MbedOS CoAP library parser - token length not validated #12948	url:	https://github.com/ARMmbed/mbed-os/issues/12948	Trust: 0.8
title:	Patch for ARM Mbed OS CoAP library buffer overflow vulnerability (CNVD-2021-20269)	url:	https://www.cnvd.org.cn/patchInfo/show/253731	Trust: 0.6

sources: CNVD: CNVD-2021-20269 // JVNDB: JVNDB-2020-007010

EXTERNAL IDS

db:	NVD	id:	CVE-2020-12886	Trust: 3.0
db:	JVNDB	id:	JVNDB-2020-007010	Trust: 0.8
db:	CNVD	id:	CNVD-2021-20269	Trust: 0.6
db:	CNNVD	id:	CNNVD-202006-1279	Trust: 0.6

sources: CNVD: CNVD-2021-20269 // JVNDB: JVNDB-2020-007010 // CNNVD: CNNVD-202006-1279 // NVD: CVE-2020-12886

REFERENCES

url:	https://github.com/armmbed/mbed-os/issues/12948	Trust: 1.6
url:	https://github.com/armmbed/mbed-coap/pull/116	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-12886	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-12886	Trust: 0.8

sources: JVNDB: JVNDB-2020-007010 // CNNVD: CNNVD-202006-1279 // NVD: CVE-2020-12886

SOURCES

db:	CNVD	id:	CNVD-2021-20269
db:	JVNDB	id:	JVNDB-2020-007010
db:	CNNVD	id:	CNNVD-202006-1279
db:	NVD	id:	CVE-2020-12886

LAST UPDATE DATE

2024-11-23T22:29:37.161000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-20269	date:	2021-03-23T00:00:00
db:	JVNDB	id:	JVNDB-2020-007010	date:	2020-07-29T00:00:00
db:	CNNVD	id:	CNNVD-202006-1279	date:	2020-07-02T00:00:00
db:	NVD	id:	CVE-2020-12886	date:	2024-11-21T05:00:29.590

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-20269	date:	2021-03-18T00:00:00
db:	JVNDB	id:	JVNDB-2020-007010	date:	2020-07-29T00:00:00
db:	CNNVD	id:	CNNVD-202006-1279	date:	2020-06-18T00:00:00
db:	NVD	id:	CVE-2020-12886	date:	2020-06-18T19:15:11.567