Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   nCipher Utility (generatekey) Vendors:   nCipher
nCipher KeySafe and 'generatekey' Utilities May Leave Copies of Imported Keys on the System
SecurityTracker Alert ID:  1006183
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 26 2003
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 7.0 (nCipher Support CD Version)
Description:   A vulnerability was reported in the nCipher generatekey and KeySafe utilities. The software may leave copies of imported key files on the system.

nCipher released a security advisory warning that these utilities may unexpectedly leave a duplicate imported software-based key on the system when used to import software-based keys into an nCipher, nShield, or nForce hardware security module.

According to the report, the software makes a temporary copy of the source key from the PEM file while converting the key into the 'DER' format for import to the nCipher hardware module, but fails to delete the temporary copy after the key has been imported.

The flaw reportedly resides in the generateky command line utility, which is also used by the KeySafe graphical utility.

Impact:   A local user may be able to obtain a copy of a key that has been previously imported.
Solution:   The vendor has released a fixed version of the nCipher support software (CD version 7.00 or later), which includes a fixed version of generatekey.

The vendor notes that the fixed version will attempt to remove temporary files created during the import process. However, customers should be aware that the underlying physical media may continue to contain the copy of the key. As such, the fixed version does not eliminate the security vulnerabilities related to importing software-based keys.

Also, the updated version will not check for temporary keys created during previous import attempts.

See the vendor's advisory for important information about how to determine if you are affected and for guidance about the security concerns associated with importing software-based keys. The advisory is available at the Vendor URL and at:

Vendor URL: (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (FreeBSD), UNIX (HP/UX), UNIX (SGI/IRIX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   None.

 Source Message Contents

[Original Message Not Available for Viewing]

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC