Zili Kou

**Name of the Vulnerable Software and Affected Versions** Mbed TLS versions prior to 2.28.2 Mbed TLS versions 3.x prior to 3.3.0 **Description** An issue allows an adversary with access to precise enough information about memory accesses to recover an RSA private key after observing the victim performing a single private-key operation. This is possible if the window size used for the exponentiation is 3 or smaller, specifically when `MBEDTLS MPI WINDOW SIZE` is set to 3 or smaller. The attack typically involves an untrusted operating system attacking a secure enclave. **Recommendations** For Mbed TLS versions prior to 2.28.2, update to version 2.28.2 or later. For Mbed TLS versions 3.x prior to 3.3.0, update to version 3.3.0 or later. As a temporary workaround, consider increasing the `MBEDTLS MPI WINDOW SIZE` to a value larger than 3 to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mbed TLS versions prior to 2.28.2 Mbed TLS versions 3.x prior to 3.3.0 **Description** A potential heap-based buffer overflow and heap-based buffer over-read exists in DTLS if `MBEDTLS SSL DTLS CONNECTION ID` is enabled and `MBEDTLS SSL CID IN LEN MAX` is greater than 2 times `MBEDTLS SSL CID OUT LEN MAX`. This issue can be exploited by a remote attacker to overwrite data in the buffer memory and potentially recover a closed RSA key. **Recommendations** For Mbed TLS versions prior to 2.28.2, update to version 2.28.2 or later. For Mbed TLS versions 3.x prior to 3.3.0, update to version 3.3.0 or later. As a temporary workaround, consider disabling the `MBEDTLS SSL DTLS CONNECTION ID` feature until a patch is available. Restrict access to DTLS connections where `MBEDTLS SSL CID IN LEN MAX` is greater than 2 times `MBEDTLS SSL CID OUT LEN MAX` to minimize the risk of exploitation.