Main Vulnerability Database SB2018081320

SB2018081320 - Information disclosure in mbedtls (Alpine package)

Published: August 13, 2018

Security Bulletin ID SB2018081320

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2018-0498)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists in ARM mbed TLS due to insufficient security restrictions imposed by the affected software when a cipher suite based on cipher block chaining (CBC) is used. A remote attacker who is able to observe and manipulate network packets can conduct a timing-based side-channel attack and partially recover the plaintext content.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=12f88f964ce5637e0f8cbe1b8eb8119a52d2eac7
https://git.alpinelinux.org/aports/commit/?id=1c0e971a526aed30795ed65912b72f65dfbf9dd2