nCipher Hardware Security Module (HSM) Firmware May Disclose Keys to Users
|
SecurityTracker Alert ID: 1009176 |
SecurityTracker URL: http://securitytracker.com/id/1009176
|
CVE Reference:
CVE-2004-0320
(Links to External Site)
|
Updated: Mar 23 2004
|
Original Entry Date: Feb 23 2004
|
Impact:
Disclosure of authentication information, Disclosure of system information, Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): For affected versions, contact the vendor.
|
Description:
A vulnerability was reported in nCipher's Hardware Security Module (HSM) firmware. A user may be able to access secret data stored in the module, including encryption keys.
nCipher released a security advisory warning that certain HSM firmware versions contain an implementation error. A user can send specially crafted sequences of commands to the system to gain access to secret information stored in the module's run-time memory, including application keys and nCipher Security World infrastructure keys.
On a host-connected HSM in a typical configuration, any local user can exploit this flaw.
|
Impact:
A local user (or process) that can issue HSM commands may be able to obtain secret information from the module, including keys.
|
Solution:
The vendor has issued updated firmware, available from nCipher Support:
support@ncipher.com.
USA or Canada: +1 781 994 4008
All other countries: +44 1223 723666
For the vendor's security advisory, see:
http://www.ncipher.com/support/advisories/index.html
|
Vendor URL: www.ncipher.com/support/advisories/index.html (Links to External Site)
|
Cause:
Access control error
|
|
Message History:
None.
|
Source Message Contents
|
|
[Original Message Not Available for Viewing]
|
|