search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Infineon RSA library does not properly generate RSA key pairs

Vulnerability Note VU#307015

Original Release Date: 2017-10-16 | Last Revised: 2017-11-08

Overview

The Infineon RSA library version 1.02.013 does not properly generate RSA key pairs, which may allow an attacker to recover the RSA private key corresponding to an RSA public key generated by this library. This vulnerability is often cited as "ROCA" in the media.

Description

CWE-310: Cryptographic Issues - CVE-2017-15361

The Infineon RSA library version 1.02.013 does not properly generate RSA key pairs. As a result, the keyspace required for a brute force search is lessened such that it is feasible to factorize keys under at least 2048 bits and obtain the RSA private key. The attacker needs only access to the victim's RSA public key generated by this library in order to calculate the private key.

Note that only RSA key generation is impacted. ECC is unaffected. RSA keys generated by other devices/libraries may also be used safely with this library.

Trusted Platform Modules (TPM) or smartcards may use this RSA library in their products. Infineon has provided a partial list of impacted vendors in a security advisory. Please see our list of impacted vendors below.

A research paper with more detail was presented at the ACM CCS conference in November 2017. Also in early November 2017, an independent research team produced a more successful attack against this flaw based on summary details from the original paper.

Impact

A remote attacker may be able recover the RSA private key from a victim's public key, if it was generated by the Infineon RSA library.

Solution

Apply an update

Check with your device manufacturer for information on firmware updates. A partial list of affected vendors is below.

Alternatively, affected users may use the following workarounds:

Replace the device

Consider replacing the vulnerable device with a non-impacted device.

Generate a new RSA or ECC key pair

ECC keys are not impacted by this vulnerability. Affected users should consider generating a new ECC key pair to replace the vulnerable RSA key pair.

Alternatively, if RSA keys are required, affected users may generate an RSA key pair using different method (e.g., OpenSSL) and then use the new secure RSA key pair with the old device. Only RSA key generation is impacted, not use of secure keys.

4096-bit RSA keys generated by the Infineon library are not known to be practically factorizable at current publication time, but affected users should not rely on this property for the long-term future.

Vendor Information

307015
Expand all

Atos SE

Notified:  October 24, 2017 Updated:  October 24, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

From SwissSign:

"Our card manufacturer informed us that the ATOS CardOS 4.x cards and card reading systems used by SwissSign are not affected. The vulnerability mainly affects cards of the CardOS 5.x generation which still under evaluation at SwissSign.

In addition, there is the possibility for everyone to find out via the link https://keychest.net/roca whether the vulnerability affects the card. If you have any further questions, please do not hesitate to contact us also for a certificate of safety from our card manufacturer."

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Dell

Notified:  October 19, 2017 Updated:  October 24, 2017

Statement Date:   October 23, 2017

Status

  Affected

Vendor Statement

Dell has released a Knowledge Base article with statement and details.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.dell.com/support/article/us/en/19/sln307820/

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  October 16, 2017 Updated:  October 16, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Fujistu has released a security advisory with a list of affected products.

Vendor References

http://www.fujitsu.com/global/support/products/software/security/products-f/ifsa-201701e.html

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gemalto AV

Notified:  October 18, 2017 Updated:  November 02, 2017

Statement Date:   October 20, 2017

Status

  Affected

Vendor Statement

Gemalto Enterprise & Cybersecurity has released a security bulletin with more information.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://safenet.gemalto.com/technical-support/security-updates/

Google

Notified:  October 16, 2017 Updated:  October 16, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Chrome OS prior to M60 is affected. Google has released a security advisory with more information.

Vendor References

https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett Packard Enterprise

Notified:  October 16, 2017 Updated:  October 16, 2017

Statement Date:   October 16, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Some HPE TPM modules are affected. HPE has released firmware updates at the URL below. HPE has published a longer security bulletin HPESBHF03789 with more details.

Vendor References

https://support.hp.com/us-en/document/c05792935 https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03789en_us

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Infineon Technologies AG

Notified:  October 16, 2017 Updated:  October 24, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Infineon RSA library version 1.02.013 is impacted.

Infineon provides a partial list of affected vendors using the library in TPM products below.

Vendor References

https://www.infineon.com/cms/en/product/promopages/tpm-update/?redirId=59160

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lenovo

Notified:  October 16, 2017 Updated:  October 16, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Lenovo has released a security advisory and will update the advisory as updates become available.

Vendor References

https://support.lenovo.com/us/en/product_security/len-15552

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Notified:  October 16, 2017 Updated:  October 16, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Microsoft has released a security advisory.

Vendor References

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170012

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Rubrik

Notified:  October 24, 2017 Updated:  October 24, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://support.rubrik.com/articles/How_To/000001116

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Taglio LLC

Updated:  November 02, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The PIVKey C980 is affected. See the security advisory for more details.

Vendor References

https://pivkey.zendesk.com/hc/en-us/articles/115002390311-Infineon-ROCA-RSA-Key-Generation-Update

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

WinMagic

Notified:  October 16, 2017 Updated:  October 16, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Yubico

Notified:  October 16, 2017 Updated:  October 16, 2017

Statement Date:   October 16, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Yubikey 4 / 4C / 4 nano, versions 4.2.6 - 4.3.4, are vulnerable when using the onboard RSA generation functionality. Yubico has published a security advisory, and provides a keycheck information page with mitigation or replacement advice.

Vendor References

https://www.yubico.com/support/security-advisories/ysa-2017-01/ https://www.yubico.com/keycheck/

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 8.8 AV:N/AC:M/Au:N/C:C/I:C/A:N
Temporal 6.9 E:POC/RL:OF/RC:C
Environmental 6.9 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

This vulnerability was disclose d by Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec, and Vashek Matyas.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2017-15361
Date Public: 2017-10-16
Date First Published: 2017-10-16
Date Last Updated: 2017-11-08 20:44 UTC
Document Revision: 59

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.