ByteOS Network

NVD Vulnerability Details :

CVE-2019-16910

Analyzed

Source-cve@mitre.org

Published At-26 Sep, 2019 | 13:15

Updated At-03 Mar, 2023 | 15:24

Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient entropy for blinding, which might allow an attacker to recover a private key via side-channel attacks if a victim signs the same message many times. (For Mbed TLS, the fix is also available in versions 2.7.12 and 2.16.3.)

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	5.3	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary	2.0	2.6	LOW	AV:N/AC:H/Au:N/C:P/I:N/A:N

Type: Primary

Version: 3.1

Base score: 5.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Type: Primary

Version: 2.0

Base score: 2.6

Base severity: LOW

Vector:

AV:N/AC:H/Au:N/C:P/I:N/A:N

CPE Matches

Arm Limited

>>mbed_crypto>>Versions before 2.0.0(exclusive)

cpe:2.3:a:arm:mbed_crypto:*:*:*:*:*:*:*:*

Arm Limited

>>mbed_tls>>Versions before 2.7.12(exclusive)

cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*

Arm Limited

>>mbed_tls>>Versions from 2.8.0(inclusive) to 2.16.3(exclusive)

cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*

Arm Limited

>>mbed_tls>>Versions from 2.17.0(inclusive) to 2.19.0(exclusive)

cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*

Fedora Project

>>fedora>>29

cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*

Fedora Project

>>fedora>>30

cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

Fedora Project

>>fedora>>31

cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*

Debian GNU/Linux

>>debian_linux>>10.0

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
NVD-CWE-noinfo	Primary	nvd@nist.gov

CWE ID: NVD-CWE-noinfo

Type: Primary

Source: nvd@nist.gov

References

Hyperlink	Source	Resource
https://github.com/ARMmbed/mbedtls/commit/298a43a77ec0ed2c19a8c924ddd8571ef3e65dfd	cve@mitre.org	Patch
https://github.com/ARMmbed/mbedtls/commit/33f66ba6fd234114aa37f0209dac031bb2870a9b	cve@mitre.org	Patch
https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html	cve@mitre.org	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CGSKQSGR5SOBRBXDSSPTCDSBB5K3GMPF/	cve@mitre.org	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CSFFOROD6IVLADZHNJC2LPDV7FQRP7XB/	cve@mitre.org	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEHHH2DOBXB25CAU3Q6E66X723VAYTB5/	cve@mitre.org	Mailing List Third Party Advisory
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-10	cve@mitre.org	Vendor Advisory