| VuXML ID | Description |
|---|
| bcdeb6d2-f02d-11ea-838a-0011d823eebd | Mbed TLS -- Local side channel attack on RSA and static Diffie-Hellman
Manuel Pégourié-Gonnard reports:
An attacker with access to precise enough timing and memory access
information (typically an untrusted operating system attacking a
secure enclave such as SGX or the TrustZone secure world) can
recover the private keys used in RSA or static (finite-field)
Diffie-Hellman operations.
Discovery 2020-09-01
Entry 2020-09-06
mbedtls
< 2.16.8
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2
|
| 4c69240f-f02c-11ea-838a-0011d823eebd | Mbed TLS -- Local side channel attack on classical CBC decryption in (D)TLS
Manuel Pégourié-Gonnard reports:
When decrypting/authenticating (D)TLS record in a connection using
a CBC ciphersuite without the Encrypt-then-Mac extension RFC 7366,
Mbed TLS used dummy rounds of the compression function associated
with the hash used for HMAC in order to hide the length of the
padding to remote attackers, as recommended in the original Lucky
Thirteen paper.
A local attacker who is able to observe the state of the cache
could monitor the presence of mbedtls_md_process() in the cache in
order to determine when the actual computation ends and when the
dummy rounds start. This is a reliable target as it's always called
at least once, in response to a previous attack. The attacker can
then continue with one of many well-documented Lucky 13
variants.
Discovery 2020-09-01
Entry 2020-09-06
mbedtls
< 2.16.8
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-1
CVE-2020-16150
|
| bf1f47c4-7f1b-11ea-bf94-001cc0382b2f | Mbed TLS -- Side channel attack on ECDSA
Manuel Pégourié-Gonnard reports:
An attacker with access to precise enough timing and memory access
information (typically an untrusted operating system attacking a
secure enclave such as SGX or the TrustZone secure world) can fully
recover an ECDSA private key after observing a number of signature
operations.
Discovery 2020-04-14
Entry 2020-04-15
mbedtls
< 2.16.6
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-04
CVE-2020-10932
|
| c1b2b492-6999-11ec-a50c-001cc0382b2f | Mbed TLS -- Potential double-free after an out of memory error
Manuel Pégourié-Gonnard reports:
If mbedtls_ssl_set_session() or mbedtls_ssl_get_session() were to
fail with MBEDTLS_ERR_SSL_ALLOC_FAILED (in an out of memory
condition), then calling mbedtls_ssl_session_free() and
mbedtls_ssl_free() in the usual manner would cause an internal
session buffer to be freed twice, due to two structures both having
valid pointers to it after a call to ssl_session_copy().
An attacker could potentially trigger the out of memory condition,
and therefore use this bug to create memory corruption, which could
then be further exploited or targetted.
Discovery 2021-12-14
Entry 2021-12-30
mbedtls
< 2.16.12
ge 2.17.0 lt 2.28.0
CVE-2021-44732
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12
|
| c685edd9-c045-11ea-8898-001cc0382b2f | Mbed TLS -- Side-channel attack on ECC key import and validation
Manuel Pégourié-Gonnard reports:
The scalar multiplication function in Mbed TLS accepts a random
number generator (RNG) as an optional argument and, if provided,
uses it to protect against some attacks.
It is the caller's responsibility to provide a RNG if protection
against side-channel attacks is desired; however two groups of
functions in Mbed TLS itself fail to pass a RNG:
- mbedtls_pk_parse_key() and mbedtls_pk_parse_keyfile()
- mbedtls_ecp_check_pub_priv() and mbedtls_pk_check_pair()
When those functions are called, scalar multiplication is computed
without randomisation, a number of old and new attacks apply,
allowing a powerful local attacker to fully recover the private
key.
Discovery 2020-07-01
Entry 2020-07-07
mbedtls
< 2.16.7
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-07
|