Vulnerability Description
The flash read-out protection (RDP) level is not enforced during the device initialization phase of the SoloKeys Solo 4.0.0 & Somu and the Nitrokey FIDO2 token. This allows an adversary to downgrade the RDP level and access secrets such as private ECC keys from SRAM via the debug interface.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Solokeys | Solo Firmware | 4.0.0 |
| Solokeys | Solo | - |
| Solokeys | Somu Firmware | - |
| Solokeys | Somu | - |
| Nitrokey | Fido2 Firmware | - |
| Nitrokey | Fido2 | - |
Related Weaknesses (CWE)
References
- https://eprint.iacr.org/2021/640Third Party Advisory
- https://github.com/solokeys/solo/commit/a9c02cd354f34b48195a342c7f524abdef5cbcecPatchThird Party Advisory
- https://solokeys.comProduct
- https://twitter.com/SoloKeysSecProduct
- https://www.aisec.fraunhofer.de/de/das-institut/wissenschaftliche-exzellenz/secuThird Party Advisory
- https://www.aisec.fraunhofer.de/en/FirmwareProtection.htmlExploitThird Party Advisory
- https://eprint.iacr.org/2021/640Third Party Advisory
- https://github.com/solokeys/solo/commit/a9c02cd354f34b48195a342c7f524abdef5cbcecPatchThird Party Advisory
- https://solokeys.comProduct
- https://twitter.com/SoloKeysSecProduct
- https://www.aisec.fraunhofer.de/de/das-institut/wissenschaftliche-exzellenz/secuThird Party Advisory
- https://www.aisec.fraunhofer.de/en/FirmwareProtection.htmlExploitThird Party Advisory
FAQ
What is CVE-2020-27208?
CVE-2020-27208 is a vulnerability with a CVSS score of 6.8 (MEDIUM). The flash read-out protection (RDP) level is not enforced during the device initialization phase of the SoloKeys Solo 4.0.0 & Somu and the Nitrokey FIDO2 token. This allows an adversary to downgrade t...
How severe is CVE-2020-27208?
CVE-2020-27208 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-27208?
Check the references section above for vendor advisories and patch information. Affected products include: Solokeys Solo Firmware, Solokeys Solo, Solokeys Somu Firmware, Solokeys Somu, Nitrokey Fido2 Firmware.