cbcvebase.
CVE-2024-23170
published 2024-01-31

CVE-2024-23170: An issue was discovered in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2. There was a timing side channel in RSA private operations. This side channel could…

PriorityP424medium5.5CVSS 3.1
AVLACLPRLUINSUCHINAN
EPSS
0.31%
22.8th percentile
An issue was discovered in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2. There was a timing side channel in RSA private operations. This side channel could be sufficient for a local attacker to recover the plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario.

Affected

12 ranges
VendorProductVersion rangeFixed in
armmbed_tls>= 2.0.0 < 2.28.72.28.7
debianmbedtls< mbedtls 2.28.7-1 (forky)mbedtls 2.28.7-1 (forky)
mbedmbedtls>= 0 < 2.28.7-12.28.7-1
mbedmbedtls>= 0 < 2.28.7-12.28.7-1
msrcazl3_qemu_8.2.0-16_on_azure_linux_3.0
msrccbl2_hvloader_1.0.1-5_on_cbl_mariner_2.0
msrccbl2_hvloader_1.0.1-6_on_cbl_mariner_2.0
msrccbl2_qemu_6.2.0-24_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
paloaltopan-os
trustedfirmwarembed_tls>= 3.0.0 < 3.5.23.5.2

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
osv5.5MEDIUM
vendor_debian5.5MEDIUM
vendor_msrc5.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.