Taesoo Kim

Researcher fromGeorgia Institute of Technology
#14681of 53,632
18.4Total CVSS
Vulnerabilities · 3
Medium
2
High
1
PT-2021-6717
7.8
2020-07-02
Arm · Mbed Tls · CVE-2020-36423
**Name of the Vulnerable Software and Affected Versions** Arm Mbed TLS versions prior to 2.23.0 **Description** A remote attacker can recover plaintext because a certain Lucky 13 countermeasure doesn't properly consider the case of a hardware accelerator. This issue is related to the implementation of TLS and SSL protocols in Mbed TLS, allowing an attacker to access confidential data. **Recommendations** For versions prior to 2.23.0, update to version 2.23.0 or later to resolve the issue. As a temporary workaround, consider disabling hardware acceleration for TLS and SSL protocols until a patch is available. Restrict access to sensitive data to minimize the risk of exploitation.
PT-2021-6718
5.3
2020-07-02
Arm · Mbed Tls · CVE-2020-36421
**Name of the Vulnerable Software and Affected Versions** Arm Mbed TLS versions prior to 2.23.0 **Description** The issue is related to a side channel in modular exponentiation, which could disclose an RSA private key used in a secure enclave. This is due to a dependency of the instruction timing on the instruction data, allowing a remote attacker to access confidential data. **Recommendations** For versions prior to 2.23.0, update to version 2.23.0 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive data handled by the secure enclave until the update is applied.
PT-2020-6633
5.3
2020-06-20
Arm · Mbed Tls · CVE-2020-36422
**Name of the Vulnerable Software and Affected Versions** Arm Mbed TLS versions prior to 2.23.0 **Description** A side channel issue allows the recovery of an ECC private key. This is related to functions such as `mbedtls ecp check pub priv`, `mbedtls pk parse key`, `mbedtls pk parse keyfile`, `mbedtls ecp mul`, and `mbedtls ecp mul restartable`. The issue can be exploited by a remote attacker to gain access to confidential data. **Recommendations** For versions prior to 2.23.0, update to version 2.23.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the functions `mbedtls ecp check pub priv`, `mbedtls pk parse key`, `mbedtls pk parse keyfile`, `mbedtls ecp mul`, and `mbedtls ecp mul restartable` to minimize the risk of exploitation.