#VU26020 Cryptographic issues in mbed TLS and mbed Crypto - CVE-2019-18222
Published: March 11, 2020
Vulnerability identifier: #VU26020
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-18222
CWE-ID: CWE-310
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
mbed TLS
mbed Crypto
mbed TLS
mbed Crypto
Software vendor:
ARM
ARM
Description
The vulnerability allows an attacker to gain access to sensitive information.
the vulnerability exists due to the ECDSA signature implementation in ecdsa.c in Arm Mbed Crypto 2.1 and Mbed TLS through 2.19.1 does not reduce the blinded scalar before computing the inverse, which allows a local attacker to recover the private key via side-channel attacks.
Remediation
Install updates from vendor's website.
External links
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A3GWQNONS7GRORXZJ7MOJFUEJ2ZJ4OUW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NGDACU65MYZXXVPQP2EBHUJGOR4RWLVY/
- https://tls.mbed.org/tech-updates/security-advisories
- https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12