ISS X-Force Database: ncipher-firmware-weak-security(25063): nCipher products firmware weak security

nCipher products firmware weak security

ncipher-firmware-weak-security (25063)

Medium Risk

Description:

Multiple nCipher products could provide weaker than expected security when generating keys. Certain functionality could be exploited to generate keys with reduced security properties. A remote attacker could exploit this vulnerability to obtain sensitive information.

Products affected by this vulnerability include: nShield PCI or SCSI, nForce PCI or SCSI, netHSM, payShield PCI, SCSI and net, SecureDB, DSE200 Document Sealing Engine (including those bundled with pdfProof), and Time Source Master Clock (TSMC).

Platforms Affected:

nCipher, DSE200 Document Sealing Engine V10 prior to 2.22.6
nCipher, netHSM V10 prior to 2.22.6
nCipher, nForce PCI V10 prior to 2.22.6
nCipher, nForce SCSI V10 prior to 2.22.6
nCipher, nShield PCI V10 prior to 2.22.6
nCipher, nShield SCSI V10 prior to 2.22.6
nCipher, payShield net V10 prior to 2.22.6
nCipher, payShield PCI V10 prior to 2.22.6
nCipher, payShield SCCI V10 prior to 2.22.6
nCipher, SecureDB V10 prior to 2.22.6

Remedy:

Upgrade to the latest nCipher V10 firmware (2.22.6 or later), as listed in the nCipher Security Advisory #14. See References.

Consequences:

Obtain Information

References:

nCipher Security Advisory #14, SA#14: Presence of flaws in firmware security at http://www.ncipher.com/resources/97/sa14_presence_of_flaws_in_firmware_security.
BID-17012: nCipher Testing Options Insecure Key Generation Vulnerabilities
CVE-2006-1117: nCipher firmware before V10, as used by (1) nShield, (2) nForce, (3) netHSM, (4) payShield, (5) SecureDB, (6) DSE200 Document Sealing Engine, (7) Time Source Master Clock (TSMC), and possibly other products, contains certain options that were only intended for testing and not production, which might allow remote attackers to obtain information about encryption keys and crack those keys with less effort than brute force.
SA19137: nCipher Products Multiple Vulnerabilities
SECTRACK ID: 1015718: nCipher nCore May Let Users Conduct Key Determination Attacks and May Fail to Detect MAC Message Modification
VUPEN/ADV-2006-0862: nCipher Products Multiple Insecure Keys and Security Bypass Vulnerabilities

Reported:

Mar 07, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page