Vulnerabilidad en la librerÃa Infineon RSA (CVE-2017-15361)
Gravedad CVSS v3.1:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
16/10/2017
Última modificación:
20/04/2025
Descripción
La librerÃa Infineon RSA 1.02.013 en firmware Infineon Trusted Platform Module (TPM) como las versiones anteriores a la 0000000000000422 - 4.34, anteriores a la 000000000000062b - 6.43 y anteriores a la 0000000000008521 - 133.33, gestiona de manera incorrecta la generación de claves RSA, lo que hace que sea más fácil para los atacantes superar varios mecanismos de protección criptográfica mediante ataques dirigidos, conocido como ROCA. Ejemplos de las tecnologÃas afectadas son BitLocker con TPM 1.2, la generación de claves PGP con YubiKey 4 (en versiones anteriores a la 4.3.5) y la caracterÃstica de cifrado Cached User Data en Chrome OS.
Impacto
Puntuación base 3.x
5.90
Gravedad 3.x
MEDIA
Puntuación base 2.0
4.30
Gravedad 2.0
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:infineon:trusted_platform_firmware:4.31:*:*:*:*:*:*:* | ||
| cpe:2.3:o:infineon:trusted_platform_firmware:4.32:*:*:*:*:*:*:* | ||
| cpe:2.3:o:infineon:trusted_platform_firmware:6.40:*:*:*:*:*:*:* | ||
| cpe:2.3:o:infineon:trusted_platform_firmware:133.32:*:*:*:*:*:*:* | ||
| cpe:2.3:h:acer:c720_chromebook:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:acer:chromebase:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:acer:chromebase_24:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:acer:chromebook_11_c730:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:acer:chromebook_11_c730e:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:acer:chromebook_11_c735:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:acer:chromebook_11_c740:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:acer:chromebook_11_c771:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:acer:chromebook_11_c771t:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:acer:chromebook_11_n7_c731:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:acer:chromebook_13_cb5-311:-:*:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- http://support.lenovo.com/us/en/product_security/LEN-15552
- http://www.securityfocus.com/bid/101484
- https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/
- https://blog.cr.yp.to/20171105-infineon.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-470231.pdf
- https://crocs.fi.muni.cz/public/papers/rsa_ccs17
- https://dan.enigmabridge.com/roca-vulnerability-impact-on-gemalto-idprime-net-smart-cards/
- https://github.com/crocs-muni/roca
- https://github.com/iadgov/Detect-CVE-2017-15361-TPM
- https://ics-cert.us-cert.gov/advisories/ICSA-18-058-01
- https://keychest.net/roca
- https://monitor.certipath.com/rsatest
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012
- https://security.netapp.com/advisory/ntap-20171024-0001/
- https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03789en_us
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03801en_us
- https://www.infineon.com/cms/en/product/promopages/tpm-update/?redirId=59160
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00104.html
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00148.html
- https://www.kb.cert.org/vuls/id/307015
- https://www.yubico.com/support/security-advisories/ysa-2017-01/
- http://support.lenovo.com/us/en/product_security/LEN-15552
- http://www.securityfocus.com/bid/101484
- https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/
- https://blog.cr.yp.to/20171105-infineon.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-470231.pdf
- https://crocs.fi.muni.cz/public/papers/rsa_ccs17
- https://dan.enigmabridge.com/roca-vulnerability-impact-on-gemalto-idprime-net-smart-cards/
- https://github.com/crocs-muni/roca
- https://github.com/iadgov/Detect-CVE-2017-15361-TPM
- https://ics-cert.us-cert.gov/advisories/ICSA-18-058-01
- https://keychest.net/roca
- https://monitor.certipath.com/rsatest
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012
- https://security.netapp.com/advisory/ntap-20171024-0001/
- https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03789en_us
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03801en_us
- https://www.infineon.com/cms/en/product/promopages/tpm-update/?redirId=59160
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00104.html
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00148.html
- https://www.kb.cert.org/vuls/id/307015
- https://www.yubico.com/support/security-advisories/ysa-2017-01/