fkie_nvd - fkie_cve-2019-16910

FKIE_CVE-2019-16910

Vulnerability from fkie_nvd - Published: 2019-09-26 13:15 - Updated: 2024-11-21 04:31

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Summary

Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient entropy for blinding, which might allow an attacker to recover a private key via side-channel attacks if a victim signs the same message many times. (For Mbed TLS, the fix is also available in versions 2.7.12 and 2.16.3.)

References

URL	Tags
cve@mitre.org	https://github.com/ARMmbed/mbedtls/commit/298a43a77ec0ed2c19a8c924ddd8571ef3e65dfd	Patch
cve@mitre.org	https://github.com/ARMmbed/mbedtls/commit/33f66ba6fd234114aa37f0209dac031bb2870a9b	Patch
cve@mitre.org	https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html	Mailing List, Third Party Advisory
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CGSKQSGR5SOBRBXDSSPTCDSBB5K3GMPF/	Mailing List, Third Party Advisory
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CSFFOROD6IVLADZHNJC2LPDV7FQRP7XB/	Mailing List, Third Party Advisory
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEHHH2DOBXB25CAU3Q6E66X723VAYTB5/	Mailing List, Third Party Advisory
cve@mitre.org	https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-10	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ARMmbed/mbedtls/commit/298a43a77ec0ed2c19a8c924ddd8571ef3e65dfd	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ARMmbed/mbedtls/commit/33f66ba6fd234114aa37f0209dac031bb2870a9b	Patch
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CGSKQSGR5SOBRBXDSSPTCDSBB5K3GMPF/	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CSFFOROD6IVLADZHNJC2LPDV7FQRP7XB/	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEHHH2DOBXB25CAU3Q6E66X723VAYTB5/	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-10	Vendor Advisory

Impacted products

Vendor	Product	Version
arm	mbed_crypto	*
arm	mbed_tls	*
arm	mbed_tls	*
arm	mbed_tls	*
fedoraproject	fedora	29
fedoraproject	fedora	30
fedoraproject	fedora	31
debian	debian_linux	10.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:arm:mbed_crypto:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6AD8A538-60A5-47C4-BB40-0685B4A3DE86",
              "versionEndExcluding": "2.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "053EFB3E-E148-4881-BE30-9895831DDCBE",
              "versionEndExcluding": "2.7.12",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E618350B-48F3-4061-BE8B-04160F1D6A07",
              "versionEndExcluding": "2.16.3",
              "versionStartIncluding": "2.8.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C0548E55-EE05-40A5-9116-F89D9CAFAFCF",
              "versionEndExcluding": "2.19.0",
              "versionStartIncluding": "2.17.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*",
              "matchCriteriaId": "D100F7CE-FC64-4CC6-852A-6136D72DA419",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
              "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
              "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient entropy for blinding, which might allow an attacker to recover a private key via side-channel attacks if a victim signs the same message many times. (For Mbed TLS, the fix is also available in versions 2.7.12 and 2.16.3.)"
    },
    {
      "lang": "es",
      "value": "Arm Mbed TLS versiones anteriores a 2.19.0 y Arm Mbed Crypto versiones anteriores a 2.0.0, cuando el ECDSA determinista est\u00e1 habilitado, usa un RNG con entrop\u00eda insuficiente para el cegamiento, lo que podr\u00eda permitir a un atacante recuperar una clave privada por medio de ataques de canal lateral si una v\u00edctima firma el mismo mensaje muchas veces. (Para Mbed TLS, la correcci\u00f3n tambi\u00e9n est\u00e1 disponible en las versiones 2.7.12 y 2.16.3.)"
    }
  ],
  "id": "CVE-2019-16910",
  "lastModified": "2024-11-21T04:31:19.680",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "HIGH",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 2.6,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 4.9,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-09-26T13:15:10.790",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/ARMmbed/mbedtls/commit/298a43a77ec0ed2c19a8c924ddd8571ef3e65dfd"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/ARMmbed/mbedtls/commit/33f66ba6fd234114aa37f0209dac031bb2870a9b"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CGSKQSGR5SOBRBXDSSPTCDSBB5K3GMPF/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CSFFOROD6IVLADZHNJC2LPDV7FQRP7XB/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEHHH2DOBXB25CAU3Q6E66X723VAYTB5/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-10"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/ARMmbed/mbedtls/commit/298a43a77ec0ed2c19a8c924ddd8571ef3e65dfd"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/ARMmbed/mbedtls/commit/33f66ba6fd234114aa37f0209dac031bb2870a9b"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CGSKQSGR5SOBRBXDSSPTCDSBB5K3GMPF/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CSFFOROD6IVLADZHNJC2LPDV7FQRP7XB/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEHHH2DOBXB25CAU3Q6E66X723VAYTB5/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-10"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2019-16910 (GCVE-0-2019-16910)

Vulnerability from cvelistv5 – Published: 2019-09-26 00:00 – Updated: 2024-08-05 01:24

Summary

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://tls.mbed.org/tech-updates/security-adviso…
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://github.com/ARMmbed/mbedtls/commit/298a43a…
	https://github.com/ARMmbed/mbedtls/commit/33f66ba…
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2022…	mailing-list

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T01:24:48.563Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-10"
          },
          {
            "name": "FEDORA-2019-1240f0fe43",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEHHH2DOBXB25CAU3Q6E66X723VAYTB5/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/ARMmbed/mbedtls/commit/298a43a77ec0ed2c19a8c924ddd8571ef3e65dfd"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/ARMmbed/mbedtls/commit/33f66ba6fd234114aa37f0209dac031bb2870a9b"
          },
          {
            "name": "FEDORA-2019-07940971b2",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CSFFOROD6IVLADZHNJC2LPDV7FQRP7XB/"
          },
          {
            "name": "FEDORA-2019-89891f3e4a",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CGSKQSGR5SOBRBXDSSPTCDSBB5K3GMPF/"
          },
          {
            "name": "[debian-lts-announce] 20221225 [SECURITY] [DLA 3249-1] mbedtls security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient entropy for blinding, which might allow an attacker to recover a private key via side-channel attacks if a victim signs the same message many times. (For Mbed TLS, the fix is also available in versions 2.7.12 and 2.16.3.)"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-26T00:00:00",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-10"
        },
        {
          "name": "FEDORA-2019-1240f0fe43",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEHHH2DOBXB25CAU3Q6E66X723VAYTB5/"
        },
        {
          "url": "https://github.com/ARMmbed/mbedtls/commit/298a43a77ec0ed2c19a8c924ddd8571ef3e65dfd"
        },
        {
          "url": "https://github.com/ARMmbed/mbedtls/commit/33f66ba6fd234114aa37f0209dac031bb2870a9b"
        },
        {
          "name": "FEDORA-2019-07940971b2",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CSFFOROD6IVLADZHNJC2LPDV7FQRP7XB/"
        },
        {
          "name": "FEDORA-2019-89891f3e4a",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CGSKQSGR5SOBRBXDSSPTCDSBB5K3GMPF/"
        },
        {
          "name": "[debian-lts-announce] 20221225 [SECURITY] [DLA 3249-1] mbedtls security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-16910",
    "datePublished": "2019-09-26T00:00:00",
    "dateReserved": "2019-09-26T00:00:00",
    "dateUpdated": "2024-08-05T01:24:48.563Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

FKIE_CVE-2019-16910

CVE-2019-16910 (GCVE-0-2019-16910)

Tags

Sightings

Nomenclature