CVE-2021-24119

Vulnerability

In Mbed TLS version 2.24.0, the base64 decoding routine used for PEM file parsing employs a non-constant-time lookup table. This implementation allows an attacker to observe memory access patterns during decoding, leaking information about the secret key material being processed [2]. The vulnerability is present in the base64 decode function and is reachable whenever a PEM-encoded private key (e.g., RSA) is loaded. The issue was fixed in Mbed TLS version 2.26.0 [2].

Exploitation

An attacker with system-level access to an isolated execution environment such as Intel SGX can exploit this side channel by single-stepping or monitoring cache timing during the base64 decoding of a PEM file [2]. By tracking which cache lines are accessed during the lookup-table-based decoding, the attacker can infer bits of the secret RSA key. No authentication or user interaction beyond the loading of a PEM key is required; the attacker must be co-located on the same hardware and have the ability to observe microarchitectural state.

Impact

Successful exploitation allows the attacker to recover the full secret RSA key from the PEM file [2]. This leads to a complete compromise of confidentiality and integrity for any cryptographic operations relying on that key, including TLS sessions, code signing, or data encryption. The attack does not require modification of the software or data, only observation of side-channel signals.

Mitigation

The vulnerability is fixed in Mbed TLS version 2.26.0 [2]. Users should upgrade to at least this version. Later releases, including the LTS branch 4.1.0, also contain the fix [1]. No workaround is documented for versions prior to 2.26.0. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.