In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX.
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
| Link | Tags |
|---|---|
| https://github.com/ARMmbed/mbedtls/releases | third party advisory release notes |
| https://github.com/UzL-ITS/util-lookup/blob/main/cve-vulnerability-publication.md | third party advisory release notes |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DRRVY7DMTX3ECFNZKDYTSFEG5AI2HBC6/ | mailing list third party advisory vendor advisory |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYJW7HAW3TDV2YMDFYXP3HD6WRQRTLJW/ | mailing list third party advisory vendor advisory |
| https://lists.debian.org/debian-lts-announce/2021/11/msg00021.html | third party advisory mailing list |
| https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html | third party advisory mailing list |