Executive Summary

Summary
Title Infineon RSA library does not properly generate RSA key pairs
Informations
Name VU#307015 First vendor Publication 2017-10-16
Vendor VU-CERT Last vendor Modification 2017-11-08
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#307015

Infineon RSA library does not properly generate RSA key pairs

Original Release date: 16 Oct 2017 | Last revised: 08 Nov 2017

Overview

The Infineon RSA library version 1.02.013 does not properly generate RSA key pairs, which may allow an attacker to recover the RSA private key corresponding to an RSA public key generated by this library. This vulnerability is often cited as "ROCA" in the media.

Description

CWE-310: Cryptographic Issues -CVE-2017-15361

The Infineon RSA library version 1.02.013 does not properly generate RSA key pairs. As a result, the keyspace required for a brute force search is lessened such that it is feasible to factorize keys under at least 2048 bits and obtain the RSA private key. The attacker needs only access to the victim's RSA public key generated by this library in order to calculate the private key.

Note that only RSA key generation is impacted. ECC is unaffected. RSA keys generated by other devices/libraries may also be used safely with this library.

Trusted Platform Modules (TPM) or smartcards may use this RSA library in their products. Infineon has provided a partial list of impacted vendors in a security advisory. Please see our list of impacted vendors below.

A research paper with more detail was presented at the ACM CCS conference in November 2017. Also in early November 2017, an independent research team produced a more successful attack against this flaw based on summary details from the original paper.

Impact

A remote attacker may be able recover the RSA private key from a victim's public key, if it was generated by the Infineon RSA library.

Solution

Apply an update

Check with your device manufacturer for information on firmware updates. A partial list of affected vendors is below.

Alternatively, affected users may use the following workarounds:

Replace the device

Consider replacing the vulnerable device with a non-impacted device.

Generate a new RSA or ECC key pair

ECC keys are not impacted by this vulnerability. Affected users should consider generating a new ECC key pair to replace the vulnerable RSA key pair.

Alternatively, if RSA keys are required, affected users may generate an RSA key pair using different method (e.g., OpenSSL) and then use the new secure RSA key pair with the old device. Only RSA key generation is impacted, not use of secure keys.

4096-bit RSA keys generated by the Infineon library are not known to be practically factorizable at current publication time, but affected users should not rely on this property for the long-term future.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Atos SEAffected24 Oct 201724 Oct 2017
DellAffected19 Oct 201724 Oct 2017
FujitsuAffected16 Oct 201716 Oct 2017
Gemalto AVAffected18 Oct 201702 Nov 2017
GoogleAffected16 Oct 201716 Oct 2017
Hewlett Packard EnterpriseAffected16 Oct 201716 Oct 2017
Infineon Technologies AGAffected16 Oct 201724 Oct 2017
LenovoAffected16 Oct 201716 Oct 2017
Microsoft CorporationAffected16 Oct 201716 Oct 2017
RubrikAffected24 Oct 201724 Oct 2017
Taglio LLCAffected-02 Nov 2017
WinMagicAffected16 Oct 201716 Oct 2017
YubicoAffected16 Oct 201716 Oct 2017
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base8.8AV:N/AC:M/Au:N/C:C/I:C/A:N
Temporal6.9E:POC/RL:OF/RC:C
Environmental6.9CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

  • https://crocs.fi.muni.cz/public/papers/rsa_ccs17
  • https://crocs.fi.muni.cz/_media/public/papers/nemec_roca_ccs17_preprint.pdf
  • https://github.com/crocs-muni/roca
  • https://www.infineon.com/cms/en/product/promopages/tpm-update/?redirId=59160
  • https://blog.cr.yp.to/20171105-infineon.html
  • http://cwe.mitre.org/data/definitions/310.html

Credit

This vulnerability was disclosed by Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec, and Vashek Matyas.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:CVE-2017-15361
  • Date Public:16 Oct 2017
  • Date First Published:16 Oct 2017
  • Date Last Updated:08 Nov 2017
  • Document Revision:59

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/307015

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 4

Nessus® Vulnerability Scanner

Date Description
2017-10-17 Name : The X.509 certificate chain used by this service contains certificates with R...
File : ssl_weak_rsa_keys_roca.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
Date Informations
2017-11-09 00:20:53
  • Multiple Updates
2017-11-08 21:26:07
  • Multiple Updates
2017-11-08 17:22:49
  • Multiple Updates
2017-11-02 13:23:04
  • Multiple Updates
2017-10-25 00:22:38
  • Multiple Updates
2017-10-24 21:23:07
  • Multiple Updates
2017-10-21 00:22:48
  • Multiple Updates
2017-10-20 21:22:55
  • Multiple Updates
2017-10-19 17:22:17
  • Multiple Updates
2017-10-18 21:22:29
  • Multiple Updates
2017-10-17 00:22:46
  • First insertion