CVE-2024-23170

Gentoo Linux Security Advisory 202409-14

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2. There was a timing side channel in RSA private operations. This side channel could be sufficient for a local attacker to recover the plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario.

Se descubrió un problema en Mbed TLS 2.x anterior a 2.28.7 y 3.x anterior a 3.5.2. Había un canal lateral de sincronización en las operaciones privadas de RSA. Este canal lateral podría ser suficiente para que un atacante local recupere el texto plano. Requiere que el atacante envíe una gran cantidad de mensajes para descifrarlos, como se describe en "Everlasting ROBOT: the Marvin Attack" de Hubert Kario.

Multiple vulnerabilities have been discovered in Mbed TLS, the worst of which could lead to information disclosure or denial of service. Versions greater than or equal to 2.28.7 are affected.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-01-12 CVE Reserved
2024-01-31 CVE Published
2024-08-01 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-203: Observable Discrepancy

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GP5UU7Z6LJNBLBT4SC5WWS2HDNMTFZH5	2024-02-22
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IIBPEYSVRK4IFLBSYJAWKH33YBNH5HR2	2024-02-22
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1	2024-02-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Arm Search vendor "Arm"		Mbed Tls Search vendor "Arm" for product "Mbed Tls"				>= 2.0.0 < 2.28.7 Search vendor "Arm" for product "Mbed Tls" and version " >= 2.0.0 < 2.28.7"		-		Affected
Arm Search vendor "Arm"		Mbed Tls Search vendor "Arm" for product "Mbed Tls"				>= 3.0.0 < 3.5.2 Search vendor "Arm" for product "Mbed Tls" and version " >= 3.0.0 < 3.5.2"		-		Affected