VuXML ID | Description |
bcdeb6d2-f02d-11ea-838a-0011d823eebd | Mbed TLS -- Local side channel attack on RSA and static Diffie-Hellman
Manuel Pégourié-Gonnard reports:
An attacker with access to precise enough timing and memory access
information (typically an untrusted operating system attacking a
secure enclave such as SGX or the TrustZone secure world) can
recover the private keys used in RSA or static (finite-field)
Diffie-Hellman operations.
Discovery 2020-09-01 Entry 2020-09-06 mbedtls
< 2.16.8
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2
|
c1b2b492-6999-11ec-a50c-001cc0382b2f | Mbed TLS -- Potential double-free after an out of memory error
Manuel Pégourié-Gonnard reports:
If mbedtls_ssl_set_session() or mbedtls_ssl_get_session() were to
fail with MBEDTLS_ERR_SSL_ALLOC_FAILED (in an out of memory
condition), then calling mbedtls_ssl_session_free() and
mbedtls_ssl_free() in the usual manner would cause an internal
session buffer to be freed twice, due to two structures both having
valid pointers to it after a call to ssl_session_copy().
An attacker could potentially trigger the out of memory condition,
and therefore use this bug to create memory corruption, which could
then be further exploited or targetted.
Discovery 2021-12-14 Entry 2021-12-30 mbedtls
< 2.16.12
ge 2.17.0 lt 2.28.0
CVE-2021-44732
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12
|
c2f107e1-2493-11e8-b3e8-001cc0382b2f | mbed TLS (PolarSSL) -- remote code execution
Simon Butcher reports:
- When the truncated HMAC extension is enabled and CBC is used,
sending a malicious application packet can be used to selectively
corrupt 6 bytes on the peer's heap, potentially leading to a
crash or remote code execution. This can be triggered remotely
from either side in both TLS and DTLS.
- When RSASSA-PSS signature verification is enabled, sending a
maliciously constructed certificate chain can be used to cause a
buffer overflow on the peer's stack, potentially leading to crash
or remote code execution. This can be triggered remotely from
either side in both TLS and DTLS.
Discovery 2018-02-05 Entry 2018-03-10 mbedtls
< 2.7.0
polarssl13
< 1.3.22
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01
CVE-2018-0487
CVE-2018-0488
|
293f40a0-ffa1-11e8-b258-0011d823eebd | Mbed TLS -- Local timing attack on RSA decryption
Janos Follath reports:
An attacker who can run code on the same machine that is
performing an RSA decryption can potentially recover the plaintext
through a Bleichenbacher-like oracle.
Discovery 2018-11-28 Entry 2018-12-14 mbedtls
< 2.14.1
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-03
CVE-2018-19608
|
056ea107-5729-11ea-a2f3-001cc0382b2f | Mbed TLS -- Cache attack against RSA key import in SGX
Janos Follath reports:
If Mbed TLS is running in an SGX enclave and the adversary has
control of the main operating system, they can launch a side
channel attack to recover the RSA private key when it is being
imported.
The attack only requires access to fine grained measurements to
cache usage. Therefore the attack might be applicable to a scenario
where Mbed TLS is running in TrustZone secure world and the
attacker controls the normal world or possibly when Mbed TLS is
part of a hypervisor and the adversary has full control of a guest
OS.
Discovery 2020-02-18 Entry 2020-02-24 mbedtls
< 2.16.5
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-02
|
bf1f47c4-7f1b-11ea-bf94-001cc0382b2f | Mbed TLS -- Side channel attack on ECDSA
Manuel Pégourié-Gonnard reports:
An attacker with access to precise enough timing and memory access
information (typically an untrusted operating system attacking a
secure enclave such as SGX or the TrustZone secure world) can fully
recover an ECDSA private key after observing a number of signature
operations.
Discovery 2020-04-14 Entry 2020-04-15 mbedtls
< 2.16.6
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-04
CVE-2020-10932
|
1c948fd3-dac0-11e9-81b2-0011d823eebd | Mbed TLS -- Side channel attack on deterministic ECDSA
Janos Follath reports:
Mbed TLS does not have a constant-time/constant-trace arithmetic
library and uses blinding to protect against side channel
attacks.
In the ECDSA signature routine previous Mbed TLS versions used the
same RNG object for generating the ephemeral key pair and for
generating the blinding values. The deterministic ECDSA function
reused this by passing the RNG object created from the private key
and the message to be signed as prescribed by RFC 6979. This meant
that the same RNG object was used whenever the same message was
signed, rendering the blinding ineffective.
If the victim can be tricked to sign the same message repeatedly,
the private key may be recoverable through side channels.
Discovery 2019-09-06 Entry 2019-09-19 mbedtls
< 2.16.3
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-10
|
b70b880f-5727-11ea-a2f3-001cc0382b2f | Mbed TLS -- Side channel attack on ECDSA
Janos Follath reports:
Our bignum implementation is not constant time/constant trace, so
side channel attacks can retrieve the blinded value, factor it (as
it is smaller than RSA keys and not guaranteed to have only large
prime factors), and then, by brute force, recover the key.
Discovery 2019-10-25 Entry 2020-02-24 mbedtls
< 2.16.4
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12
CVE-2019-18222
|
f4876dd4-9ca8-11e8-aa17-0011d823eebd | mbed TLS -- plaintext recovery vulnerabilities
Simon Butcher reports:
- When using a CBC based ciphersuite, a remote attacker can
partially recover the plaintext.
- When using a CBC based ciphersuite, an attacker with the
ability to execute arbitrary code on the machine under attack
can partially recover the plaintext by use of cache based
side-channels.
Discovery 2018-07-24 Entry 2018-08-10 mbedtls
< 2.12
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02
CVE-2018-0497
CVE-2018-0498
|
d8382a69-4728-11e8-ba83-0011d823eebd | mbed TLS (PolarSSL) -- multiple vulnerabilities
Simon Butcher reports:
- Defend against Bellcore glitch attacks by verifying the results
of RSA private key operations.
- Fix implementation of the truncated HMAC extension. The
previous implementation allowed an offline 2^80 brute force
attack on the HMAC key of a single, uninterrupted connection
(with no resumption of the session).
- Reject CRLs containing unsupported critical extensions. Found
by Falko Strenzke and Evangelos Karatsiolis.
- Fix a buffer overread in ssl_parse_server_key_exchange() that
could cause a crash on invalid input.
- Fix a buffer overread in ssl_parse_server_psk_hint() that could
cause a crash on invalid input.
Discovery 2018-03-21 Entry 2018-04-23 mbedtls
< 2.7.2
polarssl13
ge *
https://tls.mbed.org/tech-updates/releases/mbedtls-2.8.0-2.7.2-and-2.1.11-released
|
f41e3e54-076b-11e7-a9f2-0011d823eebd | mbed TLS (PolarSSL) -- multiple vulnerabilities
Janos Follath reports:
- If a malicious peer supplies a certificate with a specially
crafted secp224k1 public key, then an attacker can cause the
server or client to attempt to free block of memory held on
stack. Depending on the platform, this could result in a Denial
of Service (client crash) or potentially could be exploited to
allow remote code execution with the same privileges as the host
application.
- If the client and the server both support MD5 and the client
can be tricked to authenticate to a malicious server, then the
malicious server can impersonate the client. To launch this man
in the middle attack, the adversary has to compute a
chosen-prefix MD5 collision in real time. This is very expensive
computationally, but can be practical. Depending on the
platform, this could result in a Denial of Service (client crash)
or potentially could be exploited to allow remote code execution
with the same privileges as the host application.
- A bug in the logic of the parsing of a PEM encoded Certificate
Revocation List in mbedtls_x509_crl_parse() can result in an
infinite loop. In versions before 1.3.10 the same bug results in
an infinite recursion stack overflow that usually crashes the
application. Methods and means of acquiring the CRLs is not part
of the TLS handshake and in the strict TLS setting this
vulnerability cannot be triggered remotely. The vulnerability
cannot be triggered unless the application explicitly calls
mbedtls_x509_crl_parse() or mbedtls_x509_crl_parse_file()on a PEM
formatted CRL of untrusted origin. In which case the
vulnerability can be exploited to launch a denial of service
attack against the application.
Discovery 2017-03-11 Entry 2017-03-12 mbedtls
< 2.4.2
polarssl13
< 1.3.19
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-01
|
c685edd9-c045-11ea-8898-001cc0382b2f | Mbed TLS -- Side-channel attack on ECC key import and validation
Manuel Pégourié-Gonnard reports:
The scalar multiplication function in Mbed TLS accepts a random
number generator (RNG) as an optional argument and, if provided,
uses it to protect against some attacks.
It is the caller's responsibility to provide a RNG if protection
against side-channel attacks is desired; however two groups of
functions in Mbed TLS itself fail to pass a RNG:
- mbedtls_pk_parse_key() and mbedtls_pk_parse_keyfile()
- mbedtls_ecp_check_pub_priv() and mbedtls_pk_check_pair()
When those functions are called, scalar multiplication is computed
without randomisation, a number of old and new attacks apply,
allowing a powerful local attacker to fully recover the private
key.
Discovery 2020-07-01 Entry 2020-07-07 mbedtls
< 2.16.7
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-07
|
4c69240f-f02c-11ea-838a-0011d823eebd | Mbed TLS -- Local side channel attack on classical CBC decryption in (D)TLS
Manuel Pégourié-Gonnard reports:
When decrypting/authenticating (D)TLS record in a connection using
a CBC ciphersuite without the Encrypt-then-Mac extension RFC 7366,
Mbed TLS used dummy rounds of the compression function associated
with the hash used for HMAC in order to hide the length of the
padding to remote attackers, as recommended in the original Lucky
Thirteen paper.
A local attacker who is able to observe the state of the cache
could monitor the presence of mbedtls_md_process() in the cache in
order to determine when the actual computation ends and when the
dummy rounds start. This is a reliable target as it's always called
at least once, in response to a previous attack. The attacker can
then continue with one of many well-documented Lucky 13
variants.
Discovery 2020-09-01 Entry 2020-09-06 mbedtls
< 2.16.8
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-1
CVE-2020-16150
|