nCipher HSM information disclosure

ncipher-hsm-obtain-info (15281) The risk level is classified as MediumMedium Risk

Description:

nCipher Hardware Security Modules (HSM) could allow a local attacker to obtain sensitive information. By issuing specially-crafted commands to the vulnerable module, a local attacker could obtain infrastructure and application keys from the module's run-time memory.

Note: If the GeneralSEE feature set is enabled, 2nd-generation nCipher HSM firmware versions 2.0.0 and later and 3rd generation nCipher HSM firmware versions 2.12.0 and later are affected by this vulnerability.


Consequences:

Obtain Information

Remedy:

Upgrade to the latest firmware version, as listed in nCipher Advisory #9. See References.

References:

  • nCipher Security Advisory No. 9: Host-side attackers can access secret data.
  • BID-9717: nCipher Hardware Security Module Firmware Secrets Disclosure Vulnerability
  • CVE-2004-0320: Unknown vulnerability in nCipher Hardware Security Modules (HSM) 1.67.x through 1.99.x allows local users to access secrets stored in the module's run-time memory via certain sequences of commands.
  • OSVDB ID: 4055: nCipher nShield HSM Information Disclosure

Platforms Affected:

  • nCipher nCipher HSM 1.67.x - 1.99.x
  • nCipher nCipher HSM 2.0.0
  • nCipher nCipher HSM 2.12.0

Reported:

Feb 23, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page