CVE-2020-36424 : An issue was discovered in Arm Mbed TLS before 2.24.0. An attacker can recover a

An issue was discovered in Arm Mbed TLS before 2.24.0. An attacker can recover a private key (for RSA or static Diffie-Hellman) via a side-channel attack against generation of base blinding/unblinding values.

Published 2021-07-19 17:15:11

Updated 2023-01-11 17:02:38

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2020-36424

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
ARM » Mbed Tls
Versions from including (>=) 2.8.0 and before (<) 2.16.8
cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*
Matching versions
ARM » Mbed Tls
Versions from including (>=) 2.17.0 and before (<) 2.24.0
cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*
Matching versions
ARM » Mbed Tls
Versions before (<) 2.7.17
cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-36424

EPSS FAQ

0.07%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 17 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-36424

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
1.9	LOW	AV:L/AC:M/Au:N/C:P/I:N/A:N	3.4	2.9	NIST
Access Vector: Local Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
4.7	MEDIUM	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N	1.0	3.6	NIST
Attack Vector: Local Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2020-36424

CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-36424

https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html

[SECURITY] [DLA 3249-1] mbedtls security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0

Release Mbed TLS 2.24.0 · ARMmbed/mbedtls · GitHub
Release Notes;Third Party Advisory

CVEs referencing this url
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8

Release Mbed TLS 2.16.8 · ARMmbed/mbedtls · GitHub
Release Notes;Third Party Advisory

CVEs referencing this url
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2

Local side channel attack on RSA and static Diffie-Hellman - Tech Updates - Mbed TLS (Previously PolarSSL)
Vendor Advisory
https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.17

Release Mbed TLS 2.7.17 · ARMmbed/mbedtls · GitHub
Release Notes;Third Party Advisory

CVEs referencing this url
https://bugs.gentoo.org/740108

740108 – (CVE-2020-16150, CVE-2020-36424, CVE-2020-36425, CVE-2020-36426) <net-libs/mbedtls-{2.16.8,2.24.0}: Multiple vulnerabilities (CVE-2020-{16150,36424,36425,36426})
Issue Tracking;Patch;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2020-36424

Products affected by CVE-2020-36424

Exploit prediction scoring system (EPSS) score for CVE-2020-36424

CVSS scores for CVE-2020-36424

CWE ids for CVE-2020-36424

References for CVE-2020-36424