Multiple vulnerabilities in Mbed TLS
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Side channel attack on classical CBC decryption in (D)TLS
EUVDB-ID: #VU46187
Risk: Low
CVSSv4.0: 0.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-16150
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a side-channel attack.
The vulnerability is caused due to mbed TLS used dummy rounds of the compression function associated with the hash
used for HMAC in order to hide the length of the padding to remote
attackers when ecrypting/authenticating (D)TLS record in a connection using a CBC ciphersuite without the Encrypt-then-Mac extension. A local user who is able to observe the state of the cache could monitor the presence of mbedtls_md_process()
in the cache in order to determine when the actual computation ends and
when the dummy rounds start. This is a reliable target as it's always
called at least once.
Successful exploitation of the vulnerability may allow an attacker with access to enough information about the state of the cache (including, but not limited to, an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world) to recover portions of the plaintext of a (D)TLS record.
MitigationInstall updates from vendor's website.
Vulnerable software versionsmbed TLS: 2.0.0 - 2.23.0
CPE2.3- cpe:2.3:a:arm:mbed_tls:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:arm:mbed_tls:2.19.1:*:*:*:*:*:*:*
- cpe:2.3:a:arm:mbed_tls:2.23.0:*:*:*:*:*:*:*
- cpe:2.3:a:arm:mbed_tls:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:arm:mbed_tls:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:arm:mbed_tls:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:arm:mbed_tls:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:arm:mbed_tls:2.7.16:*:*:*:*:*:*:*
- cpe:2.3:a:arm:mbed_tls:2.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:arm:mbed_tls:2.9.0:*:*:*:*:*:*:*
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-1
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Side channel attack on RSA and static Diffie-Hellman
EUVDB-ID: #VU46188
Risk: Low
CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: N/A
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to mbed TLS is using the GCD functio, which is prone to a single-trace side-channel attack. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world) can recover the private keys used in RSA or static (finite-field) Diffie-Hellman operations.
Install updates from vendor's website.
Vulnerable software versionsmbed TLS: 2.0.0 - 2.23.0
CPE2.3https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
