Upstream information
Description
The Infineon RSA library 1.02.013 in Infineon Trusted Platform Module (TPM) firmware, such as versions before 0000000000000422 - 4.34, before 000000000000062b - 6.43, and before 0000000000008521 - 133.33, mishandles RSA key generation, which makes it easier for attackers to defeat various cryptographic protection mechanisms via targeted attacks, aka ROCA. Examples of affected technologies include BitLocker with TPM 1.2, YubiKey 4 (before 4.3.5) PGP key generation, and the Cached User Data encryption feature in Chrome OS.Upstream Security Advisories:
SUSE information
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having moderate severity.
| National Vulnerability Database | |
|---|---|
| Base Score | 4.3 |
| Vector | AV:N/AC:M/Au:N/C:P/I:N/A:N |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | None |
| Availability Impact | None |
| National Vulnerability Database | |
|---|---|
| Base Score | 5.9 |
| Vector | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | None |
| Availability Impact | None |
| CVSSv3 Version | 3 |
Note from the SUSE Security Team
To our knowledge no SUSE or openSUSE package has facilitated the TPM for RSA key generation so far, so we should not have created keys ourselves. For more information on this vulnerability, including tools to check for weak keys, please check out the ROCA report page. SUSE Bugzilla entry: 1063593 [RESOLVED / INVALID] No SUSE Security Announcements cross referenced.SUSE Timeline for this CVE
CVE page created: Mon Oct 16 17:19:55 2017CVE page last modified: Fri Sep 13 19:23:31 2024