SB2020052524 - Use of a broken or risky cryptographic algorithm in mbedtls (Alpine package)
Published: May 25, 2020
Security Bulletin ID
SB2020052524
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2020-10932)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to incorrect implementation of modular inverse operation as implemented in Mbed TLS. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world) can fully recover an ECDSA private key after observing a number of signature operations a.k.k. single-trace side channel attack.
Remediation
Install update from vendor's website.