nCipher Hardware Security Module Firmware Secrets Disclosure Vulnerability

Bugtraq ID:	9717
Class:	Design Error
CVE:
Remote:	Yes
Local:	No
Published:	Feb 23 2004 12:00AM
Updated:	Feb 23 2004 12:00AM
Credit:	The vendor announced this vulnerability.
Vulnerable:	nCipher nShield 2.12.2 nCipher nShield 2.12 nCipher nShield 2.0.4 nCipher nShield 2.0 nCipher nShield 1.79.81 nCipher nShield 1.79.80 nCipher nShield 1.79.12 nCipher nShield 1.77.97 nCipher nShield 1.77.93 nCipher nShield 1.77.9 nCipher nShield 1.75.15 nCipher nShield 1.71.90 nCipher nShield 1.71.15 nCipher nShield 1.71.11
Not Vulnerable:	nCipher nShield 2.12.8 nCipher nShield 2.12.6 nCipher nShield 2.0.5 nCipher nShield 1.77.98 nCipher nShield 1.71.91

nCipher Hardware Security Module Firmware Secrets Disclosure Vulnerability

nCipher HSM firmware has been reported prone to a vulnerability that may provide for the disclosure of certain secret keys. It has been reported that an attacker who has the ability to invoke commands with a vulnerable nCipher HSM may potentially exploit this vulnerability to peruse the affected module's run-time memory and disclose the keys.

nCipher Hardware Security Module Firmware Secrets Disclosure Vulnerability

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.

nCipher Hardware Security Module Firmware Secrets Disclosure Vulnerability

Solution:
The vendor has produced fixes to address this issue. The vendor has advised that customers contact nCipher support for details regarding obtaining relevant firmware updates.

nCipher Hardware Security Module Firmware Secrets Disclosure Vulnerability

References:

• nCipher Homepage (nCipher)
  
• nCipher Advisory #9: Host-side attackers can access secret data (nCipher Support )