Vulnerability Description
ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0 allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow) via a crafted certificate chain that is mishandled during RSASSA-PSS signature verification within a TLS or DTLS session.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Arm | Mbed Tls | >= 1.3.8, < 1.3.22 |
| Debian | Debian Linux | 8.0 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/103056Third Party AdvisoryVDB Entry
- https://security.gentoo.org/glsa/201804-19Third Party Advisory
- https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-MitigationVendor Advisory
- https://usn.ubuntu.com/4267-1/
- https://www.debian.org/security/2018/dsa-4138Third Party Advisory
- https://www.debian.org/security/2018/dsa-4147Third Party Advisory
- http://www.securityfocus.com/bid/103056Third Party AdvisoryVDB Entry
- https://security.gentoo.org/glsa/201804-19Third Party Advisory
- https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-MitigationVendor Advisory
- https://usn.ubuntu.com/4267-1/
- https://www.debian.org/security/2018/dsa-4138Third Party Advisory
- https://www.debian.org/security/2018/dsa-4147Third Party Advisory
FAQ
What is CVE-2018-0487?
CVE-2018-0487 is a vulnerability with a CVSS score of 9.8 (CRITICAL). ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0 allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow) via a crafted certificate chain that is mis...
How severe is CVE-2018-0487?
CVE-2018-0487 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-0487?
Check the references section above for vendor advisories and patch information. Affected products include: Arm Mbed Tls, Debian Debian Linux.