Phoenix Contact: Security Advisory for ESL Stick USB-A

A vulnerability has been found in a cryptographic library of Infineon Technologies that is part of the firmware of the CmDongles. The exploitation of this vulnerability has been classified as complex: potential attackers need physical access and require special equipment to exploit the vulnerability. In general, this vulnerability affects only ECC keys used to calculate signatures with the ECDSA algorithm.

An attack would enable an attacker to create licenses that can be transferred into arbitrary CmDongles or CmActLicenses. A scaling hack is possible which can distribute licenses that cannot be distinguished from legitimate ones.

Following measures are recommended to reduce the risk until the fixed version can be installed. Please be aware that not all mitigations apply to every possible product configuration, so please check which of these could be relevant or applicable in your case: As physical access is needed to exploit the vulnerabilities, it is recommended to take strict measures to control the access to the CmDongles, especially to the FSBs (Firm Security Box). General security best practices can help to protect systems from local and network attacks.

Update the firmware of the CmDongle to version 4.52. The FW for the CmDongle can be downloaded on the Wibu-Systems webpage.