Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-16910

Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient entropy for blinding, which might allow an attacker to recover a private key via side-channel attacks if a victim signs the same message many times. (For Mbed TLS, the fix is also available in versions 2.7.12 and 2.16.3.)

Published

2019-09-26T13:15:10.790

Last Modified

2024-11-21T04:31:19.680

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:H/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: HIGH
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

4.9

Impact Score

2.9

Weaknesses

Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	arm	mbed_crypto	< 2.0.0	Yes
Application	arm	mbed_tls	< 2.7.12	Yes
Application	arm	mbed_tls	< 2.16.3	Yes
Application	arm	mbed_tls	< 2.19.0	Yes
Operating System	fedoraproject	fedora	29	Yes
Operating System	fedoraproject	fedora	30	Yes
Operating System	fedoraproject	fedora	31	Yes
Operating System	debian	debian_linux	10.0	Yes

References

https://github.com/ARMmbed/mbedtls/commit/298a43a77ec0ed2c19a8c924ddd8571ef3e65dfd Patch ([email protected])
https://github.com/ARMmbed/mbedtls/commit/33f66ba6fd234114aa37f0209dac031bb2870a9b Patch ([email protected])
https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CGSKQSGR5SOBRBXDSSPTCDSBB5K3GMPF/ Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CSFFOROD6IVLADZHNJC2LPDV7FQRP7XB/ Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEHHH2DOBXB25CAU3Q6E66X723VAYTB5/ Mailing List, Third Party Advisory ([email protected])
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-10 Vendor Advisory ([email protected])
https://github.com/ARMmbed/mbedtls/commit/298a43a77ec0ed2c19a8c924ddd8571ef3e65dfd Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/ARMmbed/mbedtls/commit/33f66ba6fd234114aa37f0209dac031bb2870a9b Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CGSKQSGR5SOBRBXDSSPTCDSBB5K3GMPF/ Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CSFFOROD6IVLADZHNJC2LPDV7FQRP7XB/ Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEHHH2DOBXB25CAU3Q6E66X723VAYTB5/ Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-10 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)