Utimaco has analysed its product portfolio for impact from CVE-2024-6387. Products that have been investigated and have reached a conclusion of "Impacted" are listed in this bulletin.
​​​​​​​If you have questions, please contact Utimaco Support.

The latest updates are published here: https://www.utimaco.com/support

Utimaco has analysed its product portfolio for impact from CVE-2021-44228 and CVE-2021-45046. Products that have been investigated and have reached a conclusion of "Impacted" are listed in this bulletin, along with mitigation steps. Any products not listed in this bulletin are evaluated as "Not Affected" at the time of publication. If you have questions, please contact Utimaco Support.

The latest updates are published here: https://www.utimaco.com/support

UTIMACO has been made aware of a vulnerability affecting the Windows installations of several product packages. When installing product packages of the Affected Products, using the Windows installer shipped on the product CD, incorrect folder permissions are configured. Also, the PIN Pad Daemon “PPD” is configured to run under LocalSystem account. Both could allow for an attacker to escalate Windows privileges from a standard “Authenticated User” to that of an Administrator or SYSTEM. Please consult CVE-2020-26155 Security Advisory to find out how to prevent possible security threats effectively.
Thanks to Richard Davy from ECSC (www.ecsc.co.uk) for the responsible disclosure and his valuable input for mitigation of this vulnerability.

Utimaco has been informed about a vulnerability affecting Utimaco’s product package “SecurityServer”: a PKCS#11 Security Officer of a specific PKCS#11 slot is able to read attributes of keys in a different slot, and delete keys in a different slot, if such keys are stored in external key storage outside the HSM. This vulnerability has been filed under ID CVE-2018-19589 in the “Common Vulnerabilities and Exposures” list. Please consult  CVE-2018-19589 Security Advisory for more information.

Utimaco has been made aware of the vulnerability CVE-2017-15361 aka. ROCA (The Return of Coppersmith's Attack), affecting the RSA library in Infineon chips. Utimaco declares that CryptoServer Hardware Security Modules (HSM) including their firmware and tools are not affected by this vulnerability. Please consult CVE-2017-15361 for details.

Utimaco has been informed about a vulnerability affecting Utimaco’s product package “SecurityServer”. It allows an authenticated user to disclose a secret Elliptic Curve (EC) key stored inside an Utimaco HSM. This vulnerability has been filed under ID CVE-2015-6924 in the “Common Vulnerabilities and Exposures” list. Please consult our  CVE-2015-6924 Security Advisory for information about the vulnerability and how to fix it.

Utimaco has been made aware of the so-called key extraction vulnerability CVE-2015-5464. The vulnerability CVE-2015-5464 is entirely based on functions and mechanisms specified in the PKCS#11 standard, in particular the C_Derive function with mechanism CKM_EXTRACT_KEY_FROM_KEY. Hence, all standard-compliant PKCS#11 implementations supporting these mechanisms are affected. Whether a given application is actually subject to this vulnerability depends on the specific environment and setting of key usage flags. We strongly encourage our customers to implement measures and follow guidelines as described in  Utimaco Company Statement concerning key extraction vulnerability.

• Utimaco’s “CryptoServer LAN” appliances embed a vulnerable version of glibc. The GHOST vulnerability cannot be exploited due to the intentionally limited functionality of the CryptoServer LAN hardened Operating System and further mitigating factors.
• Furthermore, some tools and libraries delivered with Utimaco’s HSM product packages call the affected gethostbyname() function. These software modules load glibc dynamically at runtime. Although keys stored inside the HSM cannot be retrieved by an attacker, he might gain access to other data if the host computer relies on an affected version of glibc. We therefore strongly recommend upgrading host systems to glibc version 2.18 or above.