CVE-2020-12061

Опубликовано: 21 мая 2021

Источник: nvd

CVSS3: 9.8

CVSS2: 5

EPSS Низкий

Описание

An issue was discovered in Nitrokey FIDO U2F firmware through 1.1. Communication between the microcontroller and the secure element transmits credentials in plain. This allows an adversary to eavesdrop the communication and derive the secrets stored in the microcontroller. As a result, the attacker is able to arbitrarily manipulate the firmware of the microcontroller.

Ссылки

https://cwe.mitre.org/data/definitions/523.html
Third Party Advisory
https://eprint.iacr.org/2021/640.pdf
Exploit
Third Party Advisory
https://github.com/Nitrokey/nitrokey-fido-u2f-firmware/commits/master
Patch
Third Party Advisory
https://github.com/Nitrokey/nitrokey-fido-u2f-firmware/releases
Third Party Advisory
https://cwe.mitre.org/data/definitions/523.html
Third Party Advisory
https://eprint.iacr.org/2021/640.pdf
Exploit
Third Party Advisory
https://github.com/Nitrokey/nitrokey-fido-u2f-firmware/commits/master
Patch
Third Party Advisory
https://github.com/Nitrokey/nitrokey-fido-u2f-firmware/releases
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:o:nitrokey:fido_u2f_firmware:*:*:*:*:*:*:*:*

Версия до 1.1 (включая)

cpe:2.3:h:nitrokey:fido_u2f:-:*:*:*:*:*:*:*

EPSS

Процентиль: 62%

0.00428

Низкий

9.8 Critical

CVSS3

5 Medium

CVSS2

Дефекты

CWE-522

Связанные уязвимости

GHSA-8743-v63g-3f38