Vulnerability in Infineon's RSA library

Vulnerability in Infineon's RSA library

Reference: CVE-2017-15361
Version: 1.0

Summary

The Infineon RSA library version 1.02.013 does not properly generate RSA key pairs. The library is used within Trusted Platform Modules (TPM) and smartcards.

Belgian identity cards are not affected by this vulnerability.

Affected

An up-to-date overview of affected vendors can be found on: http://www.kb.cert.org/vuls/id/307015

The researchers of the vulnerability have published on- and offline tools to verify if your generated RSA key pair is affected: https://keychest.net/roca

Risks

The RSA private key may be recovered from a victim's public key, by a remote attacker, if the key pair was generated by the Infineon RSA library version 1.02.013.

The vulnerability itself has not yet been disclosed publicly and it is not known to be abused publicly yet.

Recommended Actions

Affected users should check with their manufacturer for firmware updates.

For Windows it is recommended to apply both the September 2017 and October 2017 Security Updates before applying the firmware update.

Sources

https://www.infineon.com/TPM-update
http://www.kb.cert.org/vuls/id/307015
https://www.infineon.com/cms/en/product/promopages/tpm-update/
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV17...
http://www.fujitsu.com/global/support/products/software/security/product...
https://support.hp.com/us-en/document/c05792935
https://support.lenovo.com/us/en/product_security/LEN-15552