CVE-2020-20949
First published: Wed Jan 20 2021(Updated: )
Bleichenbacher's attack on PKCS #1 v1.5 padding for RSA in STM32 cryptographic firmware library software expansion for STM32Cube (UM1924). The vulnerability can allow one to use Bleichenbacher's oracle attack to decrypt an encrypted ciphertext by making successive queries to the server using the vulnerable library, resulting in remote information disclosure.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| St Stm32cubef0 | ||
| St Stm32cubef1 | ||
| St Stm32cubef2 | ||
| St Stm32cubef3 | ||
| St Stm32cubef4 | ||
| St Stm32cubef7 | ||
| St Stm32cubeg0 | ||
| St Stm32cubeg4 | ||
| St Stm32cubeh7 | ||
| St Stm32cubeide | ||
| St Stm32cubel0 | ||
| St Stm32cubel1 | ||
| St Stm32cubel4 | ||
| St Stm32cubel4\+ | ||
| St Stm32cubel5 | ||
| St Stm32cubemonitor | ||
| St Stm32cubemp1 | ||
| St Stm32cubemx | ||
| St Stm32cubeprogrammer | ||
| St Stm32cubewb | ||
| St Stm32cubewl | ||
| Ietf Public Key Cryptography Standards \#1 | =1.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-20949?
CVE-2020-20949 is a vulnerability known as Bleichenbacher's attack on PKCS #1 v1.5 padding for RSA in STM32 cryptographic firmware library software expansion for STM32Cube (UM1924).
How does the Bleichenbacher's attack on PKCS #1 v1.5 padding for RSA work?
Bleichenbacher's attack allows an attacker to decrypt an encrypted ciphertext by making successive queries using Bleichenbacher's oracle attack.
What is the severity of CVE-2020-20949?
The severity of CVE-2020-20949 is medium with a severity value of 5.9.
Which software and devices are affected by CVE-2020-20949?
The vulnerability affects STM32Cube firmware library software expansions for various STM32 devices, including Stm32cubef0, Stm32cubef1, Stm32cubef2, Stm32cubef3, Stm32cubef4, Stm32cubef7, Stm32cubeg0, Stm32cubeg4, Stm32cubeh7, Stm32cubeide, Stm32cubel0, Stm32cubel1, Stm32cubel4, Stm32cubel4+, Stm32cubel5, Stm32cubemonitor, Stm32cubemp1, Stm32cubemx, Stm32cubeprogrammer, Stm32cubewb, Stm32cubewl.
How can I fix CVE-2020-20949?
To fix CVE-2020-20949, users are advised to update the STM32Cube firmware library software expansion to the latest version provided by STMicroelectronics.
- collector/nvd-index
- agent/author
- agent/severity
- agent/weakness
- agent/tags
- agent/type
- agent/event
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- agent/description
- agent/references
- collector/mitre-cve
- source/MITRE
- vendor/st
- canonical/st stm32cubef0
- canonical/st stm32cubef1
- canonical/st stm32cubef2
- canonical/st stm32cubef3
- canonical/st stm32cubef4
- canonical/st stm32cubef7
- canonical/st stm32cubeg0
- canonical/st stm32cubeg4
- canonical/st stm32cubeh7
- canonical/st stm32cubeide
- canonical/st stm32cubel0
- canonical/st stm32cubel1
- canonical/st stm32cubel4
- canonical/st stm32cubel4\+
- canonical/st stm32cubel5
- canonical/st stm32cubemonitor
- canonical/st stm32cubemp1
- canonical/st stm32cubemx
- canonical/st stm32cubeprogrammer
- canonical/st stm32cubewb
- canonical/st stm32cubewl
- vendor/ietf
- canonical/ietf public key cryptography standards \#1
- version/ietf public key cryptography standards \#1/1.5