nCipher PKCS#11 Library Access Control Bugs May Let Users Obtain Plaintext Keys
|
|
SecurityTracker Alert ID: 1005839 |
|
SecurityTracker URL: http://securitytracker.com/id/1005839
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Dec 20 2002
|
Impact:
Disclosure of authentication information
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
An access control vulnerability was reported in the nCipher PKCS#11 library. Depending on the application and the configuration, a user may be able to obtain plaintext keys.
nCipher released a security advisory warning of a flaw in the nCipher PKCS#11 library. Ostensibly secure keys created by the library may, in certain limited circumstances, be exportable from the hardware security module in plaintext form. Other access control defects may also be exhibited.
According to the vendor, a very small number of installations may be vulnerable.
|
Impact:
A user may be able to obtain certain keys in plaintext form. The exact impact depends on the application that uses the library and that application's configuration.
|
Solution:
The vendor has released a patch kit for the following platforms:
* AIX 4.3.3
* AIX 5L (32 bit only)
* HP-UX 10.20 / HP-UX 11
* Linux libc6 / Linux libc6.1
* Solaris 2.6 / Solaris 2.7 / Solaris 2.8 / Solaris 2.9
* Trusted Solaris 2.8
* Windows NT 4 / Windows 2000
Contact the vendor for more information at:
support@ncipher.com.
Also, see the vendor's advisory for extremely detailed instructions on how to determine if you are affected and what to do if you think you are affected:
http://www.ncipher.com/support/advisories/advisory6_pkcs11.html
|
Vendor URL: www.ncipher.com/support/advisories/advisory6_pkcs11.html (Links to External Site)
|
Cause:
Access control error
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)
|
Underlying OS Comments: AIX 4.3.3, AIX 5L (32 bit only), HP-UX 10.20 / HP-UX 11, Linux libc6 / Linux libc6.1, Solaris 2.6 / Solaris 2.7 / Solaris 2.8 / Solaris 2.9, Trusted Solaris 2.8, Windows NT 4, Windows 2000
|
|
Message History:
None.
|
Source Message Contents
|
Subject: nCipher: Access control defects in PKCS#11 keys
|
http://www.ncipher.com/support/advisories/advisory6_pkcs11.html
Security Advisory No.6
Access control defects in PKCS#11 keys
nCipher released a security advisory warning of a flaw in the nCipher PKCS#11 library.
Ostensibly secure keys created by the library may, in certain limited circumstances, be
exportable from the hardware security module in plaintext form. Other access control
defects may also be exhibited.
According to the vendor, a "very small" number of installations may be vulnerable.
The vendor has released a patch kit for the following platforms:
* AIX 4.3.3
* AIX 5L (32 bit only)
* HP-UX 10.20 / HP-UX 11
* Linux libc6 / Linux libc6.1
* Solaris 2.6 / Solaris 2.7 / Solaris 2.8 / Solaris 2.9
* Trusted Solaris 2.8
* Windows NT 4 / Windows 2000
Contact the vendor for more information at:
support@ncipher.com.
Also, see the vendor's advisory for extremely detailed instructions on how to determine if
you are affected and what to do if you think you are affected:
http://www.ncipher.com/support/advisories/advisory6_pkcs11.html
|
|
