Headline
CVE-2020-36423: 730752 – (CVE-2020-36421, CVE-2020-36422, CVE-2020-36423) <net-libs/mbedtls-{2.16.7,2.23.0}: Multiple vulnerabilities (CVE-2020-{36421,36422,36423})
An issue was discovered in Arm Mbed TLS before 2.23.0. A remote attacker can recover plaintext because a certain Lucky 13 countermeasure doesn’t properly consider the case of a hardware accelerator.
Bug 730752 (CVE-2020-36421, CVE-2020-36422, CVE-2020-36423) - <net-libs/mbedtls-{2.16.7,2.23.0}: Multiple vulnerabilities (CVE-2020-{36421,36422,36423})
Summary: <net-libs/mbedtls-{2.16.7,2.23.0}: Multiple vulnerabilities (CVE-2020-{36421,…
Status:
IN_PROGRESS
Alias:
CVE-2020-36421, CVE-2020-36422, CVE-2020-36423
Product:
Gentoo Security
Classification:
Unclassified
Component:
Vulnerabilities (show other bugs)
Hardware:
All Linux
Importance:
Normal minor (vote)
Assignee:
Gentoo Security
URL:
Whiteboard:
B4 [glsa cve]
Keywords:
PullRequest
Depends on:
Blocks:
CVE-2020-16150, CVE-2020-36424, CVE-2020-36425, CVE-2020-36426, CVE-2020-36476, CVE-2020-36477
Show dependency tree
Reported:
2020-07-04 18:49 UTC by Sam James
Modified:
2022-12-22 23:46 UTC (History)
CC List:
2 users (show)
See Also:
- https://github.com/gentoo/gentoo/pull/17764
Package list:
net-libs/mbedtls-2.16.7-r1 amd64 arm64 ppc64 x86 net-libs/mbedtls-2.23.0-r1 amd64 arm64 ppc64 x86
Runtime testing required:
—
Attachments
Add an attachment (proposed patch, testcase, etc.)
Note You need to log in before you can comment on or make changes to this bug.
Related news
Gentoo Linux Security Advisory 202301-8 - Multiple vulnerabilities have been discovered in Mbed TLS, the worst of which could result in arbitrary code execution. Versions less than 2.28.1 are affected.
An issue was discovered in Mbed TLS before 2.24.0. The verification of X.509 certificates when matching the expected common name (the cn argument of mbedtls_x509_crt_verify) with the actual certificate name is mishandled: when the subjecAltName extension is present, the expected name is compared to any name in that extension regardless of its type. This means that an attacker could impersonate a 4-byte or 16-byte domain by getting a certificate for the corresponding IPv4 or IPv6 address (this would require the attacker to control that IP address, though).
An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 LTS and before 2.7.17 LTS). There is missing zeroization of plaintext buffers in mbedtls_ssl_read to erase unused application data from memory.
An issue was discovered in Arm Mbed TLS before 2.24.0. It incorrectly uses a revocationDate check when deciding whether to honor certificate revocation via a CRL. In some situations, an attacker can exploit this by changing the local clock.
An issue was discovered in Arm Mbed TLS before 2.23.0. Because of a side channel in modular exponentiation, an RSA private key used in a secure enclave could be disclosed.
An issue was discovered in Arm Mbed TLS before 2.24.0. An attacker can recover a private key (for RSA or static Diffie-Hellman) via a side-channel attack against generation of base blinding/unblinding values.
A Lucky 13 timing side channel in mbedtls_ssl_decrypt_buf in library/ssl_msg.c in Trusted Firmware Mbed TLS through 2.23.0 allows an attacker to recover secret key information. This affects CBC mode because of a computed time difference based on a padding length.