4 - VU#659615

Executive Summary

Summary
Title	Oberthur smart cards generate weak certificates

Informations
Name	VU#659615	First vendor Publication	2012-11-09
Vendor	VU-CERT	Last vendor Modification	2012-11-09
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:H/Au:N/C:N/I:C/A:N)
Cvss Base Score	4	Attack Range	Local
Cvss Impact Score	6.9	Attack Complexity	High
Cvss Expoit Score	1.9	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#659615

Oberthur smart cards generate weak certificates

Original Release date: 09 Nov 2012 | Last revised: 09 Nov 2012

Overview

A flaw has been identified in Oberthur ID-One COSMO 64, v5.2 and v5.2a smart cards, which results in public keys that do not satisfy the requirements of the Digital Signature Standard (as specified in FIPS PUB 186-3 and its predecessors).

Description

Oberthur ID-One COSMO 64, v5.2 and v5.2a smart cards contain a flaw, which results in public keys that do not satisfy the requirements of the Digital Signature Standard (as specified in FIPS PUB 186-3 [PDF] and its predecessors).

Impact

An attacker may be able to adversely affect the integrity of the smart card identity.

Solution

Replace the smart card

Organizations should contact Oberthur Technologies through their regular support channels to determine if their smart cards are affected and to receive replacements.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Oberthur	Affected	-	09 Nov 2012

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	4.0	AV:L/AC:H/Au:N/C:N/I:C/A:N
Temporal	3.1	E:POC/RL:OF/RC:C
Environmental	2.3	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

http://www.oberthur.com/
http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf

Credit

Thanks to NSA IAD for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs:Unknown
Date Public:09 Nov 2012
Date First Published:09 Nov 2012
Date Last Updated:09 Nov 2012
Document Revision:21

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/659615

CPE : Common Platform Enumeration

Type	Description	Count
Hardware	Oberthur Id-One Cosmo cpe:2.3:h:oberthur:id-one_cosmo:64:::::::* cpe:2.3:h:oberthur:id-one_cosmo:5.2:::::::* cpe:2.3:h:oberthur:id-one_cosmo:5.2:a::::::	3

Alert History

If you want to see full details history, please login or register.

Date	Informations
2012-11-29 21:21:49	Multiple Updates
2012-11-29 21:20:26	Multiple Updates
2012-11-15 00:20:41	Multiple Updates
2012-11-14 17:22:17	Multiple Updates
2012-11-09 17:18:55	First insertion