Mbed TLS is now part of TrustedFirmware.org.

Security Center

Security Disclosures

We disclose all security issues we find or we are advised of that are relevant for Mbed TLS. Please refer to the Mbed TLS Security Center at TrustedFirmware.org for more information about the reporting and disclosure process. Mbed TLS security advisories are listed below.

Known vulnerabilities

CVE stands for Common Vulnerability and Exposures. A CVE Identifier is a unique number that can be used over different security advisories by different vendors to refer to the same issue. The following CVE identifiers are known to involve Mbed TLS and PolarSSL:
Mbed TLS / PolarSSL Advisory CVE Identifier Issue title Fixed in
2011-01 CVE-2011-1923 Possible man in the middle in Diffie Hellman key exchange 0.14.2, 1.0.0
2011-02 CVE-2011-4574 Weak random number generation within virtualized environments 1.1.0
2012-01 CVE-2012-2130 Weak Diffie-Hellman and RSA key generation 1.1.2
2013-01 CVE-2013-0169 Lucky thirteen - timing side channel during decryption 1.1.6, 1.2.6
  CVE-2013-1621 Denial of Service in SSL Module 1.2.5
2013-02 Unknown RC4 ciphersuites in SSL and TLS vulnerable Not solvable
  CVE-2013-1622 False warning, not an issue in a numbered release.
2013-03 CVE-2013-4623 Denial of Service through Certificate message during handshake 1.1.7, 1.2.8
2013-04 CVE-2013-5914 Buffer overflow in ssl_read_record() 1.1.8, 1.2.9, 1.3.0
2013-05 CVE-2013-5915 Timing Attack against protected RSA-CRT implementation used in PolarSSL 1.2.9, 1.3.0
2014-01 CVE-2014-0160 Heartbleed Bug Not affected
2014-02 CVE-2014-4911 Denial of Service against GCM-enabled entities 1.2.11, 1.3.8
2014-03 CVE-2014-3566 POODLE attack on SSLv3 Not affected
2014-04 CVE-2015-1182 Remote attack using crafted certificates 1.2.13, 1.3.10
2015-01 CVE-2015-5291 Remote attack on clients using session tickets or SNI 1.2.17, 1.3.14, 2.1.2
2017-01 CVE-2017-2784 Multiple vulnerabilities 1.3.19, 2.1.7, 2.4.2
2017-02 CVE-2017-14032 Bypass of authentication of peer 1.3.21, 2.1.9, 2.6.0
2018-01 CVE-2018-0488, CVE-2018-0487 Risk of remote code execution when truncated HMAC is enabled and Risk of remote code execution when verifying RSASSA-PSS signatures 1.3.22, 2.1.10, 2.7.0
2018-02 CVE-2018-0497, CVE-2018-0498 Plaintext recovery on use of CBC based ciphersuites through timing side-channels 2.1.14, 2.7.5, 2.12.0
2018-03 CVE-2018-19608 Local timing attack on RSA decryption 2.1.17, 2.7.8, 2.14.1
2019-10 CVE-2019-16910 Side channel attack on deterministic ECDSA 2.7.12, 2.16.3, 2.19.0
2019-12 CVE-2019-18222 Side channel attack on ECDSA 2.7.13, 2.16.4, 2.20.0
2020-02 Unknown Cache attack against RSA key import in SGX 2.7.14, 2.16.5, 2.21.0
2020-04 CVE-2020-10932 Side channel attack on ECDSA [2] 2.7.15, 2.16.6, 2.22.0
2020-07 Unknown Side-channel attack on ECC key import and validation 2.7.16, 2.16.7, 2.23.0
2020-09-1 CVE-2020-16150 Local side channel attack on classical CBC decryption in (D)TLS 2.7.17, 2.16.8, 2.24.0
2020-09-2 Unknown Local side channel attack on RSA and static Diffie-Hellman 2.7.17, 2.16.8, 2.24.0
2020-09-3 Unknown Protocol weakness in DHE-PSK key exchange N/A
2021-07-1 Unknown Local side channel attack on RSA 2.16.11, 2.27.0, 3.0.0
2021-07-2 Unknown Local side channel attack on static Diffie-Hellman with Montgomery curves 2.16.11, 2.27.0, 3.0.0

Known attacks

We are trying to make a repository of all known relevant attacks on SSL and the cryptographic components in general or on the implementation within Mbed TLS specifically. There are a lot of items missing. Please help us make this a complete repository by sending ommissions to us at: attacks at polarssl dot org (or via the contact form). The following attacks are known to be relevant for SSL / cryptography in general or Mbed TLS / PolarSSL specifically:
Year Title Targets Download
2014 Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations X.509 certificate handling shmat_oak14.pdf
2013 Timing Attack against protected RSA-CRT implementation used in PolarSSL RSA ctrsa13.pdf
2013 Lucky13: Breaking the TLS and DTLS Record Protocols CBC padding in SSL/TLS/DTLS TLStiming.pdf
2013 On the Security of RC4 in TLS and WPA RC4 in TLS RC4biases.pdf
2005 Improving Brumley and Boneh timing attack on unprotected SSL implementation RSA c36.pdf
2003 Remote timing attacks are practical RSA ssl-timing.pdf
2000 A Timing Attack against RSA with the Chinese Remainder Theorem RSA WSchindler-RSA_Timing_Attack.pdf