Vulnerability Description
The Infineon RSA library 1.02.013 in Infineon Trusted Platform Module (TPM) firmware, such as versions before 0000000000000422 - 4.34, before 000000000000062b - 6.43, and before 0000000000008521 - 133.33, mishandles RSA key generation, which makes it easier for attackers to defeat various cryptographic protection mechanisms via targeted attacks, aka ROCA. Examples of affected technologies include BitLocker with TPM 1.2, YubiKey 4 (before 4.3.5) PGP key generation, and the Cached User Data encryption feature in Chrome OS.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Infineon | Trusted Platform Firmware | 4.31 |
| Acer | C720 Chromebook | - |
| Acer | Chromebase | - |
| Acer | Chromebase 24 | - |
| Acer | Chromebook 11 C730 | - |
| Acer | Chromebook 11 C730E | - |
| Acer | Chromebook 11 C735 | - |
| Acer | Chromebook 11 C740 | - |
| Acer | Chromebook 11 C771 | - |
| Acer | Chromebook 11 C771T | - |
| Acer | Chromebook 11 N7 C731 | - |
| Acer | Chromebook 13 Cb5-311 | - |
| Acer | Chromebook 14 Cb3-431 | - |
| Acer | Chromebook 14 For Work Cp5-471 | - |
| Acer | Chromebook 15 Cb3-531 | - |
| Acer | Chromebook 15 Cb3-532 | - |
| Acer | Chromebook 15 Cb5-571 | - |
| Acer | Chromebook R11 | - |
| Acer | Chromebook R13 Cb5-312T | - |
| Acer | Chromebox | - |
References
- http://support.lenovo.com/us/en/product_security/LEN-15552MitigationThird Party Advisory
- http://www.securityfocus.com/bid/101484Third Party AdvisoryVDB Entry
- https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-mIssue TrackingThird Party Advisory
- https://blog.cr.yp.to/20171105-infineon.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-470231.pdf
- https://crocs.fi.muni.cz/public/papers/rsa_ccs17Issue TrackingMitigationThird Party Advisory
- https://dan.enigmabridge.com/roca-vulnerability-impact-on-gemalto-idprime-net-smIssue TrackingThird Party Advisory
- https://github.com/crocs-muni/rocaMitigationThird Party Advisory
- https://github.com/iadgov/Detect-CVE-2017-15361-TPMMitigationThird Party Advisory
- https://ics-cert.us-cert.gov/advisories/ICSA-18-058-01
- https://keychest.net/rocaIssue TrackingMitigationThird Party Advisory
- https://monitor.certipath.com/rsatestMitigationThird Party Advisory
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012Issue TrackingPatchThird Party Advisory
- https://security.netapp.com/advisory/ntap-20171024-0001/
- https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_updateIssue TrackingMitigationPatch
FAQ
What is CVE-2017-15361?
CVE-2017-15361 is a vulnerability with a CVSS score of 5.9 (MEDIUM). The Infineon RSA library 1.02.013 in Infineon Trusted Platform Module (TPM) firmware, such as versions before 0000000000000422 - 4.34, before 000000000000062b - 6.43, and before 0000000000008521 - 133...
How severe is CVE-2017-15361?
CVE-2017-15361 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-15361?
Check the references section above for vendor advisories and patch information. Affected products include: Infineon Trusted Platform Firmware, Acer C720 Chromebook, Acer Chromebase, Acer Chromebase 24, Acer Chromebook 11 C730.