CVE-2020-36424Observable Discrepancy in ARM Mbed TLS

CWE-203Observable Discrepancy6 documents6 sources
Severity
4.7MEDIUMNVD
EPSS
0.1%
top 67.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mbed MbedtlsARM Mbed TLSDebian Linux
Timeline
PublishedJul 19
Latest updateMay 24

Description

An issue was discovered in Arm Mbed TLS before 2.24.0. An attacker can recover a private key (for RSA or static Diffie-Hellman) via a side-channel attack against generation of base blinding/unblinding values.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.0 | Impact: 3.6

Affected Packages2 packages

NVDarm/mbed_tls2.8.02.16.8+2
Debianmbed/mbedtls< 2.16.9-0.1+3

Also affects: Debian Linux 10.0

Patches

Patch: bugs.gentoo.orgPatch: bugs.gentoo.org

🔴Vulnerability Details

3
GHSA
GHSA-999g-vph2-wr2c: An issue was discovered in Arm Mbed TLS before 22022-05-24
OSV
CVE-2020-36424: An issue was discovered in Arm Mbed TLS before 22021-07-19
CVEList
CVE-2020-36424: An issue was discovered in Arm Mbed TLS before 22021-07-19

📋Vendor Advisories

2
Microsoft
An issue was discovered in Arm Mbed TLS before 2.24.0. An attacker can recover a private key (for RSA or static Diffie-Hellman) via a side-channel attack against generation of base blinding/unblinding2021-07-13
Debian
CVE-2020-36424: mbedtls - An issue was discovered in Arm Mbed TLS before 2.24.0. An attacker can recover a...2020
CVE-2020-36424 — Observable Discrepancy in ARM Mbed TLS | cvebase