FS#63962 - [mbedtls] <2.16.3 is affected by CVE-2019-16910 (ECDSA implementation is not constant-time)
Attached to Project:
Community Packages
Opened by Pascal Ernster (hardfalcon) - Monday, 30 September 2019, 12:42 GMT
Last edited by Doug Newgard (Scimmia) - Tuesday, 10 March 2020, 16:24 GMT
Opened by Pascal Ernster (hardfalcon) - Monday, 30 September 2019, 12:42 GMT
Last edited by Doug Newgard (Scimmia) - Tuesday, 10 March 2020, 16:24 GMT
|
Details
mbedTLS <2.19.0 and <2.16.3 uses an RNG with
insufficient entropy for blinding when when deterministic
ECDSA is enabled. This might allow an attacker to recover a
private key via side-channel attacks if a victim signs the
same message many times. Upstream has released a security
advisory with more in-depth information (they seem to have
introduced a new functions that software developers are
supposed to use instead of the old function):
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-10 The changelog for mbedTLS 2.16.3 also lists two additional vulnerabilities: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.3-and-2.7.12-released mbedTLS 2.16.2 fixed an additional security issue (Archlinux currently ships mbedTLS 2.16.0): https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.2-and-2.7.11-released |
This task depends upon
Comment by
Pascal Ernster (hardfalcon) -
Monday, 30 September 2019, 12:46 GMT
Sorry, I got the bug title wrong, should have been "ineffective
blinding with deterministic ECDSA".