Bug 1188492 (CVE-2020-36424) - VUL-0: CVE-2020-36424: mbedtls: side-channel attack against generation of base blinding/unblinding values
Summary: VUL-0: CVE-2020-36424: mbedtls: side-channel attack against generation of bas...
Status: RESOLVED FIXED
Alias: CVE-2020-36424
Product: openSUSE Distribution
Classification: openSUSE
Component: Basesystem (show other bugs)
Version: Leap 15.2
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/304566/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-07-20 06:03 UTC by Alexander Bergmann
Modified: 2021-08-06 10:52 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2021-07-20 06:03:00 UTC 
CVE-2020-36424

An issue was discovered in Arm Mbed TLS before 2.24.0. An attacker can recover a
private key (for RSA or static Diffie-Hellman) via a side-channel attack against
generation of base blinding/unblinding values.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36424
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36424
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8
https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0
https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.17
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2
https://bugs.gentoo.org/740108
Comment 1 Pedro Monreal Gonzalez 2021-08-05 10:14:45 UTC 
Resolution:
Affected users will want to upgrade to Mbed TLS 2.24.0, 2.16.8 or 2.7.17 depending on the branch they're currently using.

We have fixed versions in:
 * Version 2.16.9 in openSUSE:Leap:15.2:Update
 * Version 2.8.0 in openSUSE:Leap:15.1:Update
Comment 3 Marcus Meissner 2021-08-06 10:52:27 UTC 
done