Vulnerability Details : CVE-2019-16910
Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient entropy for blinding, which might allow an attacker to recover a private key via side-channel attacks if a victim signs the same message many times. (For Mbed TLS, the fix is also available in versions 2.7.12 and 2.16.3.)
Exploit prediction scoring system (EPSS) score for CVE-2019-16910
Probability of exploitation activity in the next 30 days: 0.26%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 64 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2019-16910
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
2.6
|
LOW | AV:N/AC:H/Au:N/C:P/I:N/A:N |
4.9
|
2.9
|
NIST |
|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N |
1.6
|
3.6
|
NIST |
References for CVE-2019-16910
-
https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html
[SECURITY] [DLA 3249-1] mbedtls security updateMailing List;Third Party Advisory
-
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-10
Side channel attack on deterministic ECDSA - Tech Updates - Mbed TLS (Previously PolarSSL)Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEHHH2DOBXB25CAU3Q6E66X723VAYTB5/
[SECURITY] Fedora 31 Update: mbedtls-2.16.3-1.fc31 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CSFFOROD6IVLADZHNJC2LPDV7FQRP7XB/
[SECURITY] Fedora 30 Update: mbedtls-2.16.3-1.fc30 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CGSKQSGR5SOBRBXDSSPTCDSBB5K3GMPF/
[SECURITY] Fedora 29 Update: mbedtls-2.16.3-1.fc29 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/ARMmbed/mbedtls/commit/33f66ba6fd234114aa37f0209dac031bb2870a9b
Merge remote-tracking branch 'upstream-restricted/pr/556' into mbedtl… · ARMmbed/mbedtls@33f66ba · GitHubPatch
-
https://github.com/ARMmbed/mbedtls/commit/298a43a77ec0ed2c19a8c924ddd8571ef3e65dfd
Merge remote-tracking branch 'upstream-restricted/pr/549' into mbedtl… · ARMmbed/mbedtls@298a43a · GitHubPatch
Products affected by CVE-2019-16910
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
- cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*
- cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*
- cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*
- cpe:2.3:a:arm:mbed_crypto:*:*:*:*:*:*:*:*