CVE-2019-16910 — MEDIUM (5.3)

Q: How severe is CVE-2019-16910?

CVE-2019-16910 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-16910?

Check the references section above for vendor advisories and patch information. Affected products include: Arm Mbed Crypto, Arm Mbed Tls, Fedoraproject Fedora, Debian Debian Linux.

Vulnerability Description

Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient entropy for blinding, which might allow an attacker to recover a private key via side-channel attacks if a victim signs the same message many times. (For Mbed TLS, the fix is also available in versions 2.7.12 and 2.16.3.)

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Arm	Mbed Crypto	< 2.0.0
Arm	Mbed Tls	< 2.7.12
Fedoraproject	Fedora	29
Debian	Debian Linux	10.0

References

https://github.com/ARMmbed/mbedtls/commit/298a43a77ec0ed2c19a8c924ddd8571ef3e65dPatch
https://github.com/ARMmbed/mbedtls/commit/33f66ba6fd234114aa37f0209dac031bb2870aPatch
https://lists.debian.org/debian-lts-announce/2022/12/msg00036.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-Vendor Advisory
https://github.com/ARMmbed/mbedtls/commit/298a43a77ec0ed2c19a8c924ddd8571ef3e65dPatch
https://github.com/ARMmbed/mbedtls/commit/33f66ba6fd234114aa37f0209dac031bb2870aPatch
https://lists.debian.org/debian-lts-announce/2022/12/msg00036.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-Vendor Advisory

FAQ

What is CVE-2019-16910?

CVE-2019-16910 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient entropy for blinding, which might allow an attacker to recover a private ...

How severe is CVE-2019-16910?

CVE-2019-16910 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-16910?

Check the references section above for vendor advisories and patch information. Affected products include: Arm Mbed Crypto, Arm Mbed Tls, Fedoraproject Fedora, Debian Debian Linux.