Security Advisories RSS

Security Advisories and Updates

RSS

Utimaco has analysed its product portfolio for impact from CVE-2021-44228 and CVE-2021-45046. Products that have been investigated and have reached a conclusion of "Impacted" are listed in this bulletin, along with mitigation steps. Any products not listed in this bulletin are evaluated as "Not Affected" at the time of publication. If you have questions, please contact Utimaco Support.

The latest updates are published here: https://www.utimaco.com/support

UTIMACO has been made aware of a vulnerability affecting the Windows installations of several product packages. When installing product packages of the Affected Products, using the Windows installer shipped on the product CD, incorrect folder permissions are configured. Also, the PIN Pad Daemon “PPD” is configured to run under LocalSystem account. Both could allow for an attacker to escalate Windows privileges from a standard “Authenticated User” to that of an Administrator or SYSTEM. Please consult CVE-2020-26155 Security Advisory to find out how to prevent possible security threats effectively.
Thanks to Richard Davy from ECSC (www.ecsc.co.uk) for the responsible disclosure and his valuable input for mitigation of this vulnerability.

Utimaco has been informed about a vulnerability affecting Utimaco’s product package “SecurityServer”: a PKCS#11 Security Officer of a specific PKCS#11 slot is able to read attributes of keys in a different slot, and delete keys in a different slot, if such keys are stored in external key storage outside the HSM. This vulnerability has been filed under ID CVE-2018-19589 in the “Common Vulnerabilities and Exposures” list. Please consult  CVE-2018-19589 Security Advisory for more information.

Utimaco declares that CryptoServer Hardware Security Modules (HSMs) including their firmware are not affected by these vulnerabilities. Please consult  CVE-2017-5754 Security Advisory for more information.

Utimaco has been made aware of the vulnerability CVE-2017-15361 aka. ROCA (The Return of Coppersmith's Attack), affecting the RSA library in Infineon chips. Utimaco declares that CryptoServer Hardware Security Modules (HSM) including their firmware and tools are not affected by this vulnerability. Please consult CVE-2017-15361 for details.

Utimaco has been informed about a vulnerability affecting Utimaco’s product package “SecurityServer”. It allows an authenticated user to disclose a secret Elliptic Curve (EC) key stored inside an Utimaco HSM. This vulnerability has been filed under ID CVE-2015-6924 in the “Common Vulnerabilities and Exposures” list. Please consult our  CVE-2015-6924 Security Advisory for information about the vulnerability and how to fix it.

Utimaco has been made aware of the so-called key extraction vulnerability CVE-2015-5464. The vulnerability CVE-2015-5464 is entirely based on functions and mechanisms specified in the PKCS#11 standard, in particular the C_Derive function with mechanism CKM_EXTRACT_KEY_FROM_KEY. Hence, all standard-compliant PKCS#11 implementations supporting these mechanisms are affected. Whether a given application is actually subject to this vulnerability depends on the specific environment and setting of key usage flags. We strongly encourage our customers to implement measures and follow guidelines as described in  Utimaco Company Statement concerning key extraction vulnerability.

The imminent insertion of a leap second on June 30, 2015 has raised concerns about availability and reliability of computer systems. Utimaco has conducted an analysis of possible impacts of this leap second on our products. This analysis has led to the conclusion that handling of the leap second by CryptoServer HSMs and CryptoServer LAN appliances ensures valid system time settings. Neither degradation of service nor operational failure nor any security-relevant issues are to be expected.
Utimaco has become aware of vulnerability CVE-2015-0235 aka "GHOST" affecting “gethostbyname” functions of Linux library glibc. Analysis of the impact of GHOST on Utimaco HSM products has led to the following conclusions:
  • Utimaco’s “CryptoServer LAN” appliances embed a vulnerable version of glibc. The GHOST vulnerability cannot be exploited due to the intentionally limited functionality of the CryptoServer LAN hardened Operating System and further mitigating factors.
  • Furthermore, some tools and libraries delivered with Utimaco’s HSM product packages call the affected gethostbyname() function. These software modules load glibc dynamically at runtime. Although keys stored inside the HSM cannot be retrieved by an attacker, he might gain access to other data if the host computer relies on an affected version of glibc. We therefore strongly recommend upgrading host systems to glibc version 2.18 or above.