Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-10941: Cache attack against RSA key import in SGX — Mbed TLS documentation

Arm Mbed TLS before 2.16.5 allows attackers to obtain sensitive information (an RSA private key) by measuring cache usage during an import.

CVE
#vulnerability#ssl

Title

Cache attack against RSA key import in SGX

Date

20th February 2020 ( Updated on 21st February 2020 )

Affects

All versions of Mbed TLS and Mbed Crypto

Impact

The RSA private key is recoverable through side channels.

Severity

Medium

Credit

Alejandro Cabrera Aldaya and Billy Brumley

Vulnerability

If Mbed TLS is running in an SGX enclave and the adversary has control of the main operating system, they can launch a side channel attack to recover the RSA private key when it is being imported. Found by Alejandro Cabrera Aldaya and Billy Brumley and reported by Jack Lloyd.

The attack only requires access to fine grained measurements to cache usage. Therefore the attack might be applicable to a scenario where Mbed TLS is running in TrustZone secure world and the attacker controls the normal world or possibly when Mbed TLS is part of a hypervisor and the adversary has full control of a guest OS.

Impact

If an adversary has fine grained measurements to cache usage at the time an RSA key is being imported, they are able to recover the private key.

Resolution

Affected users should upgrade to one of the most recent versions of Mbed TLS, including 2.21.0, 2.16.5 or 2.7.14 or later. Similarly, affected users should upgrade to the most recent version of Mbed Crypto, including 3.1.0 or later.

Warning: Even in these versions, it is only safe to import complete RSA private keys. mbedtls_pk_parse_key() and mbedtls_pk_parse_keyfile() can only import complete private keys and therefore using them is safe. Use of lower level APIs (such as mbedtls_rsa_import()) or direct access to the members of the mbedtls_rsa_context structure for importing keys is only safe if all the needed parameters are provided; in configurations with MBEDTLS_RSA_NO_CRT undefined (which is the default), this means all the components prescribed by appendix A.1.2 of the PKCS#1 v2.2 standard; in configurations with MBEDTLS_RSA_NO_CRT enabled, this means n, e, d, p and q.

Workaround

There are no known workarounds.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907