CVE-2018-0498

low-risk

Published 2018-07-28

ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows local users to achieve partial plaintext recovery (for a CBC based ciphersuite) via a cache-based side-channel attack.

Do I need to act?

0.21% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.7/10 Medium

LOCAL / HIGH complexity

Affected Products (3)

Mbed Tls

Debian Linux

Affected Vendors

Debian Arm

References (8)

Mailing List https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html

Mitigation https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-...

https://usn.ubuntu.com/4267-1/

Third Party Advisory https://www.debian.org/security/2018/dsa-4296

Mailing List https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html

Mitigation https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-...

https://usn.ubuntu.com/4267-1/

Third Party Advisory https://www.debian.org/security/2018/dsa-4296

/ 100

low-risk

Severity 12/34 · Low

Exploitability 1/34 · Minimal

Exposure 9/34 · Low