Information Disclosure Vulnerability in Mbed TLS by ARM
CVE-2022-46392

5.3MEDIUM

Key Information:

Vendor: Arm
Status: Mbed Tls
Vendor: CVE Published:; 15 December 2022

Summary

A vulnerability has been discovered in Mbed TLS versions prior to 2.28.2 and 3.x prior to 3.3.0. This issue allows an attacker who has precise knowledge of memory accesses, such as an untrusted operating system targeting a secure enclave, to potentially recover an RSA private key after monitoring a single private-key operation. This risk arises when the window size configuration (MBEDTLS_MPI_WINDOW_SIZE) used during exponentiation is set to 3 or smaller.

References

https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.3.0

https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Dec 15, 2022
Vulnerability Reserved
Dec 4, 2022