Описание
STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.
Cryptographic timing vulnerabilities were discovered in certain versions of the Trusted Platform Module (TPM) firmware distributed by Intel and STMicroelectronics. Software that uses the TPM to compute ECDSA signatures could leak information through the timing of ECDSA signature operations, allowing an attacker to recover parts of the private key.
Отчет
This is a vulnerability in TPM firmware distributed by hardware vendors, not by Red Hat. Red Hat Enterprise Linux exposes the TPM device at /dev/tpm* where it is available for software with the correct privileges to use. Customers are advised to always ensure that firmware updates from hardware vendors are kept up to date with security fixes.
Меры по смягчению последствий
To remediate this vulnerability, install relevant firmware updates from your hardware vendor and follow their advice to regenerate keys that may be vulnerable or compromised. STMicroelectronics, Intel and OEMs have published firmware updates and advice at the links provided in the External References section.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | linux-firmware | Not affected | ||
| Red Hat Enterprise Linux 7 | linux-firmware | Not affected | ||
| Red Hat Enterprise Linux 8 | linux-firmware | Not affected |
Показывать по
Дополнительная информация
Статус:
6.8 Medium
CVSS3
Связанные уязвимости
STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.
STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.
Уязвимость реализации алгоритма ECDSA микропрограммного обеспечения TPM-процессоров STMicroelectronics ST33, позволяющая нарушителю восстановить значение закрытых ключей, хранимых в модуле TPM (Trusted Platform Module)
6.8 Medium
CVSS3