Description
There have been several references to these security advisories for mbedtls in the issues / PRs in past few months. I'm not sure if they have received the needed attention since security advisory was not obvious in the title and there are no replies on the previous posts.
To make the issue clearer, I have produced the text of the advisories below.
Local side channel attack on RSA
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-1
Vulnerability
The Montgomery curves Curve25519 and Curve448, also known as x25519 and x448 when used for Diffie-Hellman, were designed to minimize the number of checks an implementation needs to do for secure use.
In particular, validity of the peer's public key needs not be checked, as long as the underlying multi-precision (bignum) arithmetic is constant-time. This is not the case in Mbed TLS, but validity checks were still skipped, so an attacker could exploit special inputs (low-order points) in order to cause variations in timing and memory access patterns that would in turn leak information about the private key.
Impact
An attacker with access to precise enough timing and memory access information (for example, able to execute arbitrary code and sharing a memory cache with the victim) can recover the private keys used in static Diffie-Hellman with x25519 and x448.
Resolution
Affected users will want to upgrade to Mbed TLS 3.0.0, 2.27.0 or 2.16.11 depending on the branch they're currently using.
Local side channel attack on static Diffie-Hellman with Montgomery curves
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-2
Vulnerability
The modular exponentiation operation in RSA uses a sliding window algorithm, with a memory access pattern that depends on the bits of the secret key.
Exponent blinding is used as a counter-measure: it prevents an attacker from correlating informations gathered on successive operation, but researchers found a way to recover enough information by observing a single operation, therefore by-passing this counter-measure.
Impact
An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world) can recover the private keys used in RSA.
Resolution
Affected users will want to upgrade to Mbed TLS 3.0.0, 2.27.0 or 2.16.11 depending on the branch they're currently using.
Prior References
Potential double-free after an out of memory error
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12
Vulnerability
If mbedtls_ssl_set_session() or mbedtls_ssl_get_session() were to fail with MBEDTLS_ERR_SSL_ALLOC_FAILED (in an out of memory condition), then calling mbedtls_ssl_session_free() and mbedtls_ssl_free() in the usual manner would cause an internal session buffer to be freed twice, due to two structures both having valid pointers to it after a call to ssl_session_copy().
Impact
An attacker could potentially trigger the out of memory condition, and therefore use this bug to create memory corruption, which could then be further exploited or targetted.
Resolution
Affected users will want to upgrade to Mbed TLS 3.1.0, 2.28.0 or 2.16.12 depending on the branch they're currently using.
Work-around
Either do not call mbedtls_ssl_session_free() (which will unfortunately cause a memory leak) or set the mbedtls_ssl_session field ticket to NULL manually, in the case where either mbedtls_ssl_set_session() or mbedtls_ssl_get_session() returns MBEDTLS_ERR_SSL_ALLOC_FAILED.