CVE-2020-36421: 
Mbed TLS vulnerability analysis and mitigation

An issue was discovered in Arm Mbed TLS before version 2.23.0, identified as CVE-2020-36421. The vulnerability is related to a side channel in modular exponentiation that could potentially expose an RSA private key when used in a secure enclave. This vulnerability was discovered by researchers from Georgia Institute of Technology (Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim, and Hyesoon Kim) and Microsoft Research (Marcus Peinado), and was reported by Raoul Strackx from Fortanix (GitHub Issue).

The vulnerability stems from a timing side-channel in the modular exponentiation implementation. The issue occurs because the front-end of the processor fetches instructions with a 16-byte well-aligned window, and the time to resume an instruction depends on its location within this fetch window and instructions near it. This timing difference can be exploited even in balanced branches, allowing attackers to determine control flow in SGX enclaves by precisely timing interrupt latency (GitHub Release).

The primary impact of this vulnerability is the potential disclosure of RSA private keys used within secure enclaves. An attacker with access to precise timing and memory access information, typically an untrusted operating system attacking a secure enclave, could potentially extract the private key material (GitHub Release).

The vulnerability was fixed in Mbed TLS version 2.23.0 and backported to version 2.16.7. Users are recommended to upgrade to these or later versions. For Debian systems, the fix was included in version 2.16.9-0~deb10u1 (Debian Advisory).