ISS X-Force Database: ncipher-firmware-weak-security(25063): nCipher products firmware weak security

nCipher products firmware weak security

ncipher-firmware-weak-security (25063)

Medium Risk

Description:

Multiple nCipher products could provide weaker than expected security when generating keys. Certain functionality could be exploited to generate keys with reduced security properties. A remote attacker could exploit this vulnerability to obtain sensitive information.

Products affected by this vulnerability include: nShield PCI or SCSI, nForce PCI or SCSI, netHSM, payShield PCI, SCSI and net, SecureDB, DSE200 Document Sealing Engine (including those bundled with pdfProof), and Time Source Master Clock (TSMC).

Consequences:

Obtain Information

Remedy:

Upgrade to the latest nCipher V10 firmware (2.22.6 or later), as listed in the nCipher Security Advisory #14. See References.

References:

nCipher Security Advisory #14: SA#14: Presence of flaws in firmware security.
BID-17012: nCipher Testing Options Insecure Key Generation Vulnerabilities
CVE-2006-1117: nCipher firmware before V10, as used by (1) nShield, (2) nForce, (3) netHSM, (4) payShield, (5) SecureDB, (6) DSE200 Document Sealing Engine, (7) Time Source Master Clock (TSMC), and possibly other products, contains certain options that were only intended for testing and not production, which might allow remote attackers to obtain information about encryption keys and crack those keys with less effort than brute force.
SA19137: nCipher Products Multiple Vulnerabilities
SECTRACK ID: 1015718: nCipher nCore May Let Users Conduct Key Determination Attacks and May Fail to Detect MAC Message Modification
VUPEN/ADV-2006-0862: nCipher Products Multiple Insecure Keys and Security Bypass Vulnerabilities

Platforms Affected:

nCipher DSE200 Document Sealing Engine V10 prior to 2.22.6
nCipher netHSM V10 prior to 2.22.6
nCipher nForce PCI V10 prior to 2.22.6
nCipher nForce SCSI V10 prior to 2.22.6
nCipher nShield PCI V10 prior to 2.22.6
nCipher nShield SCSI V10 prior to 2.22.6
nCipher payShield net V10 prior to 2.22.6
nCipher payShield PCI V10 prior to 2.22.6
nCipher payShield SCCI V10 prior to 2.22.6
nCipher SecureDB V10 prior to 2.22.6

Reported:

Mar 07, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page