SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   nCipher PKCS#11 Library Vendors:   nCipher
nCipher PKCS#11 Library Access Control Bugs May Let Users Obtain Plaintext Keys
SecurityTracker Alert ID:  1005839
SecurityTracker URL:  http://securitytracker.com/id/1005839
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 20 2002
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   An access control vulnerability was reported in the nCipher PKCS#11 library. Depending on the application and the configuration, a user may be able to obtain plaintext keys.

nCipher released a security advisory warning of a flaw in the nCipher PKCS#11 library. Ostensibly secure keys created by the library may, in certain limited circumstances, be exportable from the hardware security module in plaintext form. Other access control defects may also be exhibited.

According to the vendor, a very small number of installations may be vulnerable.

Impact:   A user may be able to obtain certain keys in plaintext form. The exact impact depends on the application that uses the library and that application's configuration.
Solution:   The vendor has released a patch kit for the following platforms:

* AIX 4.3.3
* AIX 5L (32 bit only)
* HP-UX 10.20 / HP-UX 11
* Linux libc6 / Linux libc6.1
* Solaris 2.6 / Solaris 2.7 / Solaris 2.8 / Solaris 2.9
* Trusted Solaris 2.8
* Windows NT 4 / Windows 2000

Contact the vendor for more information at:

support@ncipher.com.

Also, see the vendor's advisory for extremely detailed instructions on how to determine if you are affected and what to do if you think you are affected:

http://www.ncipher.com/support/advisories/advisory6_pkcs11.html

Vendor URL:  www.ncipher.com/support/advisories/advisory6_pkcs11.html (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)
Underlying OS Comments:  AIX 4.3.3, AIX 5L (32 bit only), HP-UX 10.20 / HP-UX 11, Linux libc6 / Linux libc6.1, Solaris 2.6 / Solaris 2.7 / Solaris 2.8 / Solaris 2.9, Trusted Solaris 2.8, Windows NT 4, Windows 2000

Message History:   None.


 Source Message Contents

Subject:  nCipher: Access control defects in PKCS#11 keys


http://www.ncipher.com/support/advisories/advisory6_pkcs11.html

Security Advisory No.6
Access control defects in PKCS#11 keys

nCipher released a security advisory warning of a flaw in the nCipher PKCS#11 library. 
Ostensibly secure keys created by the library may, in certain limited circumstances, be
exportable from the hardware security module in plaintext form.  Other access control
defects may also be exhibited.

According to the vendor, a "very small" number of installations may be vulnerable.

The vendor has released a patch kit for the following platforms:

    * AIX 4.3.3
    * AIX 5L (32 bit only)
    * HP-UX 10.20 / HP-UX 11
    * Linux libc6 / Linux libc6.1
    * Solaris 2.6 / Solaris 2.7 / Solaris 2.8 / Solaris 2.9
    * Trusted Solaris 2.8
    * Windows NT 4 / Windows 2000

Contact the vendor for more information at:

support@ncipher.com.

Also, see the vendor's advisory for extremely detailed instructions on how to determine if
you are affected and what to do if you think you are affected:

http://www.ncipher.com/support/advisories/advisory6_pkcs11.html



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC