Security Advisories RSS

Security Advisories and Updates

RSS (Opens New Window)
Utimaco declares that CryptoServer Hardware Security Modules (HSMs) including their firmware are not affected by these vulnerabilities. Please consult  CVE-2017-5754 Security Advisory for more information.

Utimaco has been made aware of the vulnerability CVE-2017-15361 aka. ROCA (The Return of Coppersmith's Attack), affecting the RSA library in Infineon chips. Utimaco declares that CryptoServer Hardware Security Modules (HSM) including their firmware and tools are not affected by this vulnerability. Please consult CVE-2017-15361 for details.

Utimaco has been informed about a vulnerability affecting Utimaco’s product package “SecurityServer”. It allows an authenticated user to disclose a secret Elliptic Curve (EC) key stored inside an Utimaco HSM. This vulnerability has been filed under ID CVE-2015-6924 in the “Common Vulnerabilities and Exposures” list. Please consult our  CVE-2015-6924 Security Advisory for information about the vulnerability and how to fix it.

Utimaco has been made aware of the so-called key extraction vulnerability CVE-2015-5464. The vulnerability CVE-2015-5464 is entirely based on functions and mechanisms specified in the PKCS#11 standard, in particular the C_Derive function with mechanism CKM_EXTRACT_KEY_FROM_KEY. Hence, all standard-compliant PKCS#11 implementations supporting these mechanisms are affected. Whether a given application is actually subject to this vulnerability depends on the specific environment and setting of key usage flags. We strongly encourage our customers to implement measures and follow guidelines as described in  Utimaco Company Statement concerning key extraction vulnerability.

27 May 2015

Leap Second

The imminent insertion of a leap second on June 30, 2015 has raised concerns about availability and reliability of computer systems. Utimaco has conducted an analysis of possible impacts of this leap second on our products. This analysis has led to the conclusion that handling of the leap second by CryptoServer HSMs and CryptoServer LAN appliances ensures valid system time settings. Neither degradation of service nor operational failure nor any security-relevant issues are to be expected.

3 February 2015

CVE-2015-0235 aka "GHOST"

Utimaco has become aware of vulnerability CVE-2015-0235 aka "GHOST" affecting “gethostbyname” functions of Linux library glibc. Analysis of the impact of GHOST on Utimaco HSM products has led to the following conclusions:
  • Utimaco’s “CryptoServer LAN” appliances embed a vulnerable version of glibc. The GHOST vulnerability cannot be exploited due to the intentionally limited functionality of the CryptoServer LAN hardened Operating System and further mitigating factors.
  • Furthermore, some tools and libraries delivered with Utimaco’s HSM product packages call the affected gethostbyname() function. These software modules load glibc dynamically at runtime. Although keys stored inside the HSM cannot be retrieved by an attacker, he might gain access to other data if the host computer relies on an affected version of glibc. We therefore strongly recommend upgrading host systems to glibc version 2.18 or above.