An issue exists in Mbed TLS 2.x prior to 2.28.7 and 3.x prior to 3.5.2. There was a timing side channel in RSA private operations. This side channel could be sufficient for a local malicious user to recover the plaintext. It requires the malicious user to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
arm mbed tls |