CVE-2018-19608
Description
Arm Mbed TLS before versions 2.14.1, 2.7.8, and 2.1.17 is vulnerable to a local cache-based side-channel attack (CAT) enabling plaintext recovery of RSA decryption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Arm Mbed TLS before versions 2.14.1, 2.7.8, and 2.1.17 is vulnerable to a local cache-based side-channel attack (CAT) enabling plaintext recovery of RSA decryption.
Vulnerability
Arm Mbed TLS versions prior to 2.14.1, 2.7.8, and 2.1.17 are vulnerable to a cache-based side-channel attack that leaks information during RSA decryption when using PKCS#1 v1.5 padding. The vulnerability resides in the RSA implementation and affects cipher suites without (EC)DH(E), allowing a local unprivileged attacker to recover plaintext from captured ciphertexts [1].
Exploitation
An unprivileged local attacker requires the ability to observe cache timing or access patterns on the victim machine while the target Mbed TLS process performs RSA decryption. The attacker must first capture an RSA ciphertext (e.g., by network sniffing) and then trigger multiple decryption operations, performing adaptive chosen-ciphertext queries to exploit the Bleichbacher oracle. By parallelizing queries across multiple TLS servers sharing the same public key, the attack can complete within browser timeouts (30 seconds) [1].
Impact
Successful exploitation allows the attacker to recover the RSA plaintext, including the premaster secret in TLS connections. This breaks the confidentiality of the TLS session, enabling decryption of all subsequent traffic secured by that session key. The attacker gains plaintext recovery at the cryptographic level without needing higher privileges [1].
Mitigation
Arm Mbed TLS fixed this vulnerability in versions 2.14.1, 2.7.8, and 2.1.17 released in October 2018. Users should upgrade to patched versions immediately. No workaround is available; disabling RSA cipher suites without (EC)DHE is a partial mitigation but may break compatibility. The CVE is not listed on CISA's Known Exploited Vulnerabilities [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Microarchitectural side-channel leakage (cache timing) during RSA PKCS #1 v1.5 decryption allows a local attacker to use the implementation as a padding oracle."
Attack vector
A local unprivileged attacker exploits microarchitectural side-channel leakage (cache timing) during RSA decryption of PKCS #1 v1.5 ciphertexts [ref_id=1]. The attacker performs adaptive chosen-ciphertext queries, using the side-channel as a padding oracle to recover the RSA plaintext, including the TLS premaster secret [ref_id=1]. The attack can be parallelized across multiple TLS servers sharing the same public key certificate to complete within browser-imposed timeout limits [ref_id=1].
Affected code
The advisory does not specify exact function or file names. The vulnerability affects RSA decryption in Arm Mbed TLS versions before 2.14.1, before 2.7.8, and before 2.1.17, specifically in the context of RSA-without-(EC)DH(E) cipher suites [ref_id=1].
What the fix does
No patch diff is included in the bundle. The advisory indicates that the fix is to upgrade to Mbed TLS versions 2.14.1, 2.7.8, or 2.1.17, which implement mitigations against the cache-based side-channel attacks described in the paper [ref_id=1]. These mitigations aim to eliminate microarchitectural leakage during RSA PKCS #1 v1.5 decryption that could be used as a padding oracle.
Preconditions
- networkAttacker must have local unprivileged access to the same physical machine as the victim (to observe cache side channels)
- configThe TLS server must use an RSA-without-(EC)DH(E) cipher suite
- inputThe attacker must be able to perform adaptive chosen-ciphertext queries (e.g., via a BEAST-like Man-in-the-Browser attack)
- configMultiple TLS servers sharing the same RSA public key certificate may be needed to parallelize the attack within browser timeouts
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- cat.eyalro.netnvdThird Party Advisory
- tls.mbed.org/tech-updates/releases/mbedtls-2.14.1-2.7.8-and-2.1.17-releasednvdThird Party Advisory
- tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-03nvdThird Party Advisory
News mentions
0No linked articles in our index yet.