| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| ESL STICK USB A | < 4.5.2 |
A vulnerability has been found in a cryptographic library of Infineon Technologies that is part of the firmware of the CmDongles. The exploitation of this vulnerability has been classified as complex: potential attackers need physical access and require special equipment to exploit the vulnerability. In general, this vulnerability affects only ECC keys used to calculate signatures with the ECDSA algorithm.
Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack (that requires physical access and expensive equipment) in which an electromagnetic side channel is present because of a non-constant-time modular inversion for the Extended Euclidean Algorithm, aka the EUCLEAK issue. Other uses of an Infineon cryptographic library may also be affected.
An attack would enable an attacker to create licenses that can be transferred into arbitrary CmDongles or CmActLicenses. A scaling hack is possible which can distribute licenses that cannot be distinguished from legitimate ones.
Mitigation
Following measures are recommended to reduce the risk until the fixed version can be installed. Please be aware that not all mitigations apply to every possible product configuration, so please check which of these could be relevant or applicable in your case: As physical access is needed to exploit the vulnerabilities, it is recommended to take strict measures to control the access to the CmDongles, especially to the FSBs (Firm Security Box). General security best practices can help to protect systems from local and network attacks.
Remediation
Update the firmware of the CmDongle to version 4.52. The FW for the CmDongle can be downloaded on the Wibu-Systems webpage.
CERT@VDE coordinated with Phoenix Contact