CVE-2020-16150: Information Exposure Through Discrepancy

September 2, 2020 (updated September 25, 2020)

A Lucky timing side channel in mbedtls_ssl_decrypt_buf in library/ssl_msg.c in Trusted Firmware Mbed TLS allows an attacker to recover secret key information. This affects CBC mode because of a computed time difference based on a padding length.

References

nvd.nist.gov/vuln/detail/CVE-2020-16150
tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-1

Code Behaviors & Features

Detect and mitigate CVE-2020-16150 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →