CVE-2021-24119 Common Vulnerabilities and Exposures

Upstream information

CVE-2021-24119 at MITRE

Description

In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v2 Scores
	National Vulnerability Database
Base Score	4
Vector	AV:N/AC:L/Au:S/C:P/I:N/A:N
Access Vector	Network
Access Complexity	Low
Authentication	Single
Confidentiality Impact	Partial
Integrity Impact	None
Availability Impact	None

CVSS v3 Scores
	National Vulnerability Database
Base Score	4.9
Vector	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector	Network
Attack Complexity	Low
Privileges Required	High
User Interaction	None
Scope	Unchanged
Confidentiality Impact	High
Integrity Impact	None
Availability Impact	None
CVSSv3 Version	3.1

SUSE Bugzilla entry: 1189589 [RESOLVED / FIXED]

SUSE Security Advisories:

openSUSE-SU-2021:1344-1, published Mon Oct 11 21:41:56 2021
openSUSE-SU-2021:1355-1, published Fri Oct 15 09:41:23 2021
openSUSE-SU-2021:1389-1, published Thu Oct 21 00:41:19 2021

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Package Hub 15 SP2	`libmbedcrypto3 >= 2.16.9-bp152.2.6.1` `libmbedcrypto3-64bit >= 2.16.9-bp152.2.6.1` `libmbedtls12 >= 2.16.9-bp152.2.6.1` `libmbedtls12-64bit >= 2.16.9-bp152.2.6.1` `libmbedx509-0 >= 2.16.9-bp152.2.6.1` `libmbedx509-0-64bit >= 2.16.9-bp152.2.6.1` `mbedtls-devel >= 2.16.9-bp152.2.6.1`	Patchnames: openSUSE-2021-1355
SUSE Package Hub 15 SP3	`libmbedcrypto3 >= 2.16.9-bp153.2.5.1` `libmbedcrypto3-32bit >= 2.16.9-bp153.2.5.1` `libmbedcrypto3-64bit >= 2.16.9-bp153.2.5.1` `libmbedtls12 >= 2.16.9-bp153.2.5.1` `libmbedtls12-32bit >= 2.16.9-bp153.2.5.1` `libmbedtls12-64bit >= 2.16.9-bp153.2.5.1` `libmbedx509-0 >= 2.16.9-bp153.2.5.1` `libmbedx509-0-32bit >= 2.16.9-bp153.2.5.1` `libmbedx509-0-64bit >= 2.16.9-bp153.2.5.1` `mbedtls-devel >= 2.16.9-bp153.2.5.1`	Patchnames: openSUSE-2021-1389
openSUSE Leap 15.2	`libmbedcrypto3 >= 2.16.9-lp152.2.6.1` `libmbedcrypto3-32bit >= 2.16.9-lp152.2.6.1` `libmbedtls12 >= 2.16.9-lp152.2.6.1` `libmbedtls12-32bit >= 2.16.9-lp152.2.6.1` `libmbedx509-0 >= 2.16.9-lp152.2.6.1` `libmbedx509-0-32bit >= 2.16.9-lp152.2.6.1` `mbedtls-devel >= 2.16.9-lp152.2.6.1`	Patchnames: openSUSE-2021-1344
openSUSE Leap 15.3	`libmbedcrypto3 >= 2.16.9-bp153.2.5.1` `libmbedcrypto3-32bit >= 2.16.9-bp153.2.5.1` `libmbedcrypto3-64bit >= 2.16.9-bp153.2.5.1` `libmbedtls12 >= 2.16.9-bp153.2.5.1` `libmbedtls12-32bit >= 2.16.9-bp153.2.5.1` `libmbedtls12-64bit >= 2.16.9-bp153.2.5.1` `libmbedx509-0 >= 2.16.9-bp153.2.5.1` `libmbedx509-0-32bit >= 2.16.9-bp153.2.5.1` `libmbedx509-0-64bit >= 2.16.9-bp153.2.5.1` `mbedtls-devel >= 2.16.9-bp153.2.5.1`	Patchnames: openSUSE-2021-1389
openSUSE Tumbleweed	`libmbedcrypto7 >= 2.27.0-2.1` `libmbedcrypto7-32bit >= 2.27.0-2.1` `libmbedtls13 >= 2.27.0-2.1` `libmbedtls13-32bit >= 2.27.0-2.1` `libmbedx509-1 >= 2.27.0-2.1` `libmbedx509-1-32bit >= 2.27.0-2.1` `mbedtls-devel >= 2.27.0-2.1`	Patchnames: openSUSE-Tumbleweed-2024-11552

SUSE Timeline for this CVE

CVE page created: Thu Jul 15 16:58:53 2021
CVE page last modified: Tue Sep 3 19:19:52 2024