[ASA-202007-5] mbedtls: private key recovery
Arch Linux Security Advisory ASA-202007-5 ========================================= Severity: Medium Date : 2020-07-31 CVE-ID : CVE-2020-10932 Package : mbedtls Type : private key recovery Remote : No Link : https://security.archlinux.org/AVG-1141 Summary ======= The package mbedtls before version 2.16.7-1 is vulnerable to private key recovery. Resolution ========== Upgrade to 2.16.7-1. # pacman -Syu "mbedtls>=2.16.7-1" The problem has been fixed upstream in version 2.16.7. Workaround ========== None. Description =========== A side channel attack has been found on the ECDSA implementation of Mbed TLS before 2.22.0, 2.16.6 and 2.7.15, allowing a local attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world) to fully recover an ECDSA private key after observing a number of signature operations. Impact ====== A remote attacker is able to recover an ECDSA private key. References ========== https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advis... https://security.archlinux.org/CVE-2020-10932
participants (1)
-
Morten Linderud