{"id":"CVE-2020-10932","details":"An issue was discovered in Arm Mbed TLS before 2.16.6 and 2.7.x before 2.7.15. An attacker that can get precise enough side-channel measurements can recover the long-term ECDSA private key by (1) reconstructing the projective coordinate of the result of scalar multiplication by exploiting side channels in the conversion to affine coordinates; (2) using an attack described by Naccache, Smart, and Stern in 2003 to recover a few bits of the ephemeral scalar from those projective coordinates via several measurements; and (3) using a lattice attack to get from there to the long-term ECDSA private key used for the signatures. Typically an attacker would have sufficient access when attacking an SGX enclave and controlling the untrusted OS.","modified":"2026-03-20T11:31:19.606963Z","published":"2020-04-15T14:15:20.123Z","related":["MGASA-2020-0265","openSUSE-SU-2021:0384-1","openSUSE-SU-2021:0397-1"],"references":[{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FCWN5HIF4CJ2LZTOMEBJ7Q4IMMV7ZU2V/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNOS2IIBH5WNJXZUV546PY7666DE7Y3L/"},{"type":"ADVISORY","url":"https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released"},{"type":"ADVISORY","url":"https://tls.mbed.org/tech-updates/security-advisories"},{"type":"ADVISORY","url":"https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-04"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/armmbed/mbedtls","events":[{"introduced":"32605dc83042d737e715a685e53176388d73540e"},{"fixed":"21522a49aa0d1e8b76e9b4d5d289f95cd85f2782"},{"introduced":"fb1972db23da39bd11d4f9c9ea6266eee665605b"},{"fixed":"2a1d9332d55d1270084232e42df08fdb08129f1b"}],"database_specific":{"versions":[{"introduced":"2.7.0"},{"fixed":"2.7.15"},{"introduced":"2.16.0"},{"fixed":"2.16.6"}]}}],"versions":["mbedtls-2.10.0","mbedtls-2.11.0","mbedtls-2.12.0","mbedtls-2.13.0","mbedtls-2.13.1","mbedtls-2.14.0","mbedtls-2.16.0","mbedtls-2.16.1","mbedtls-2.16.2","mbedtls-2.16.3","mbedtls-2.16.4","mbedtls-2.16.5","mbedtls-2.7.0","mbedtls-2.7.1","mbedtls-2.7.10","mbedtls-2.7.11","mbedtls-2.7.12","mbedtls-2.7.13","mbedtls-2.7.14","mbedtls-2.7.2","mbedtls-2.7.2-rc1","mbedtls-2.7.3","mbedtls-2.7.4","mbedtls-2.7.5","mbedtls-2.7.6","mbedtls-2.7.7","mbedtls-2.7.8","mbedtls-2.7.9","mbedtls-2.8.0","mbedtls-2.8.0-rc1","mbedtls-2.9.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-10932.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"31"}]},{"events":[{"introduced":"0"},{"last_affected":"32"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}