CVE-2024-23170: 
Mbed TLS vulnerability analysis and mitigation

A timing side-channel vulnerability (CVE-2024-23170) was discovered in Mbed TLS versions 2.x before 2.28.7 and 3.x before 3.5.2. The vulnerability was identified in RSA private operations and was disclosed on January 10, 2024. The affected software, Mbed TLS, is a lightweight open-source cryptographic and SSL/TLS library written in C (Vendor Advisory).

The vulnerability stems from a timing side channel in RSA private operations. The issue could allow attackers with precise timing measurements to recover plaintext data. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating local access is required and the primary impact is on confidentiality (NVD).

The vulnerability could enable an attacker to recover plaintext data from encrypted communications. This is particularly concerning for local attackers or remote attackers who are close to the victim on the network and can obtain precise timing measurements. The attack requires the ability to send a large number of messages for decryption, as described in the 'Everlasting ROBOT: the Marvin Attack' by Hubert Kario (Vendor Advisory).

The vulnerability has been fixed in Mbed TLS versions 2.28.7 and 3.5.2. Users are strongly advised to upgrade to these versions or later as there are no known workarounds for this vulnerability. The fix addresses the timing side channel in the RSA private operations implementation (Vendor Advisory).