CVE-2021-24119Observable Discrepancy in ARM Mbed TLS

CWE-203Observable Discrepancy7 documents7 sources
Severity
4.9MEDIUMNVD
EPSS
0.7%
top 28.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Mbed MbedtlsARM Mbed TLSDebian Linux+1 more
Timeline
PublishedJul 14
Latest updateMay 24

Description

In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

NVDarm/mbed_tls< 2.26.0
Debianmbed/mbedtls< 2.16.9-0.1+deb11u1+3

Also affects: Debian Linux 10.0, 9.0, Fedora 33, 34

🔴Vulnerability Details

3
GHSA
GHSA-7wc7-36pp-g93m: In Trusted Firmware Mbed TLS 22022-05-24
CVEList
CVE-2021-24119: In Trusted Firmware Mbed TLS 22021-07-14
OSV
CVE-2021-24119: In Trusted Firmware Mbed TLS 22021-07-14

📋Vendor Advisories

2
Microsoft
In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled2021-07-13
Debian
CVE-2021-24119: mbedtls - In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64 PEM ...2021

📄Research Papers

1
arXiv
Util::Lookup: Exploiting key decoding in cryptographic libraries2021-08-10
CVE-2021-24119 — Observable Discrepancy in ARM Mbed TLS | cvebase