Side channel attack on classical CBC decryption in (D)TLS in mbed TLS

#VU46187 Side channel attack on classical CBC decryption in (D)TLS in mbed TLS

Published: 2020-09-01

Vulnerability identifier: #VU46187

Vulnerability risk: Low

CVSSv3.1: 2.2 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-16150

CWE-ID: CWE-310

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
mbed TLS
Universal components / Libraries / Libraries used by multiple products

Vendor: ARM

Description

The vulnerability allows a local user to perform a side-channel attack.

The vulnerability is caused due to mbed TLS used dummy rounds of the compression function associated with the hash used for HMAC in order to hide the length of the padding to remote attackers when ecrypting/authenticating (D)TLS record in a connection using a CBC ciphersuite without the Encrypt-then-Mac extension. A local user who is able to observe the state of the cache could monitor the presence of mbedtls_md_process() in the cache in order to determine when the actual computation ends and when the dummy rounds start. This is a reliable target as it's always called at least once.

Successful exploitation of the vulnerability may allow an attacker with access to enough information about the state of the cache (including, but not limited to, an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world) to recover portions of the plaintext of a (D)TLS record.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

mbed TLS: 2.7.0 - 2.7.16, 2.16.0 - 2.16.7, 2.23.0, 2.22.0, 2.21.0, 2.20.0, 2.19.0 - 2.19.1, 2.18.0 - 2.18.1, 2.17.0, 2.15.0 - 2.15.1, 2.14.0 - 2.14.1, 2.13.0 - 2.13.1, 2.11.0, 2.10.0, 2.9.0, 2.6.0 - 2.6.1, 2.5.0 - 2.5.1, 2.4.0 - 2.4.2, 2.3.0, 2.2.0 - 2.2.1, 2.1.0 - 2.1.18, 2.0.0, 2.12.0, 2.8.0

External links
http://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Arch Linux update for mbedtls

Side channel attack on classical CBC decryption in (D)TLS in mbedtls (Alpine package)

Multiple vulnerabilities in Mbed TLS