CVE-2019-16910

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient entropy for blinding, which might allow an attacker to recover a private key via side-channel attacks if a victim signs the same message many times. (For Mbed TLS, the fix is also available in versions 2.7.12 and 2.16.3.)

Arm Mbed TLS versiones anteriores a 2.19.0 y Arm Mbed Crypto versiones anteriores a 2.0.0, cuando el ECDSA determinista está habilitado, usa un RNG con entropía insuficiente para el cegamiento, lo que podría permitir a un atacante recuperar una clave privada por medio de ataques de canal lateral si una víctima firma el mismo mensaje muchas veces. (Para Mbed TLS, la corrección también está disponible en las versiones 2.7.12 y 2.16.3.)

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-09-26 CVE Reserved
2019-09-26 CVE Published
2024-08-05 CVE Updated
2024-09-19 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (7)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html	Mailing List

URL	Date	SRC

URL	Date	SRC
https://github.com/ARMmbed/mbedtls/commit/298a43a77ec0ed2c19a8c924ddd8571ef3e65dfd	2023-03-03
https://github.com/ARMmbed/mbedtls/commit/33f66ba6fd234114aa37f0209dac031bb2870a9b	2023-03-03

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CGSKQSGR5SOBRBXDSSPTCDSBB5K3GMPF	2023-03-03
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CSFFOROD6IVLADZHNJC2LPDV7FQRP7XB	2023-03-03
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEHHH2DOBXB25CAU3Q6E66X723VAYTB5	2023-03-03
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-10	2023-03-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Arm Search vendor "Arm"		Mbed Crypto Search vendor "Arm" for product "Mbed Crypto"				< 2.0.0 Search vendor "Arm" for product "Mbed Crypto" and version " < 2.0.0"		-		Affected
Arm Search vendor "Arm"		Mbed Tls Search vendor "Arm" for product "Mbed Tls"				< 2.7.12 Search vendor "Arm" for product "Mbed Tls" and version " < 2.7.12"		-		Affected
Arm Search vendor "Arm"		Mbed Tls Search vendor "Arm" for product "Mbed Tls"				>= 2.8.0 < 2.16.3 Search vendor "Arm" for product "Mbed Tls" and version " >= 2.8.0 < 2.16.3"		-		Affected
Arm Search vendor "Arm"		Mbed Tls Search vendor "Arm" for product "Mbed Tls"				>= 2.17.0 < 2.19.0 Search vendor "Arm" for product "Mbed Tls" and version " >= 2.17.0 < 2.19.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				29 Search vendor "Fedoraproject" for product "Fedora" and version "29"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				30 Search vendor "Fedoraproject" for product "Fedora" and version "30"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				31 Search vendor "Fedoraproject" for product "Fedora" and version "31"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected