FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Mbed TLS -- Local side channel attack on classical CBC decryption in (D)TLS

Affected packages
mbedtls < 2.16.8


VuXML ID 4c69240f-f02c-11ea-838a-0011d823eebd
Discovery 2020-09-01
Entry 2020-09-06

Manuel Pégourié-Gonnard reports:

When decrypting/authenticating (D)TLS record in a connection using a CBC ciphersuite without the Encrypt-then-Mac extension RFC 7366, Mbed TLS used dummy rounds of the compression function associated with the hash used for HMAC in order to hide the length of the padding to remote attackers, as recommended in the original Lucky Thirteen paper.

A local attacker who is able to observe the state of the cache could monitor the presence of mbedtls_md_process() in the cache in order to determine when the actual computation ends and when the dummy rounds start. This is a reliable target as it's always called at least once, in response to a previous attack. The attacker can then continue with one of many well-documented Lucky 13 variants.


CVE Name CVE-2020-16150