Published: 26/09/2019 Updated: 03/10/2019
CVSS v2 Base Score: 2.6 | Impact Score: 2.9 | Exploitability Score: 4.9
CVSS v3 Base Score: 5.3 | Impact Score: 3.6 | Exploitability Score: 1.6
Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N

Vulnerability Summary

Arm Mbed TLS prior to 2.19.0 and Arm Mbed Crypto prior to 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient entropy for blinding, which might allow an malicious user to recover a private key via side-channel attacks if a victim signs the same message many times. (For Mbed TLS, the fix is also available in versions 2.7.12 and 2.16.3.)

Vulnerability Trend

Vendor Advisories

Debian Bug report logs - #941265 mbedtls: CVE-2019-16910 Package: src:mbedtls; Maintainer for src:mbedtls is James Cowgill <jcowgill@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 27 Sep 2019 11:09:01 UTC Severity: important Tags: security, upstream Found in version mbedtls/2162-1 ...