A flawed Infineon Technology chipset used on PC motherboards to securely store passwords, certificates and encryption keys risks undermining the security of government and corporate computers protected by RSA encryption keys. In a nutshell, the bug makes it possible for an attacker to calculate a private key just by having a target's public key.
Security experts say the bug has been present since 2012 and found specifically in the Infineon's Trusted Platform Module used on a large number of business-class HP, Lenovo and Fijitsu computers, Google Chromebooks as well as routers and IoT devices.
The vulnerability allows for a remote attacker to compute an RSA private key from the value of a public key. The private key can then be misused for purposes of impersonation of a legitimate owner, decryption of sensitive messages, forgery of signatures (such as for software releases) and other related attacks, according to researchers.
The Infineon flaw is tied to a faulty design of Infineon's Trusted Platform Module (TPM), a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices and used for secured crypto processes.
(Score: 3, Informative) by Anonymous Coward on Wednesday October 18 2017, @01:02PM (5 children)
Ok, let's take a look. I don't look at those things as often as I should, so I'll go to NIST [nist.gov]:
I guess I'll keep using free software to generate my keypairs. It's easier to emerge -1av gnupg gnutls openssl if there's a fix needed than to flash TPM firmware.
(Score: 4, Informative) by AssCork on Wednesday October 18 2017, @01:48PM
Just to put it in perspective, this has a higher 'base' score than KRACKATTACK, but the 'Overall' score is middle-of-the-pack.
CVE-2017-15361 as scored by CERT [cert.org] (CVSSv2 for some reason)
The 'overall' CVSSv2 score can be calculated by punching in the metrics CERT provides into the NVD CVSSv2 Score Calculator [nist.gov].
ProTIP: The 'Environmental' section is where an organization would make adjustments to a score. That's a Good Thing(tm), because some people implement technologies using a different strategy (though in this particular case, I don't know how you could mess with this)
Just popped-out of a tight spot. Came out mostly clean, too.
(Score: 2) by nobu_the_bard on Wednesday October 18 2017, @01:50PM (3 children)
I thought I recognized that term from something I read lately. I was looking into different Bitlocker configurations recently. Thank you for saving me the effort double checking it :)
I'm surprised that didn't make it into the linked article, it is a popular feature on newer Microsoft Windows machines in some industries.
(Score: 3, Informative) by AssCork on Wednesday October 18 2017, @02:27PM (2 children)
Microsoft's Advisory [microsoft.com] mentions BitLocker - You might want to dig into that.
Note that it takes two updates to nail this fix (September's and October's) unless you're deploying the 'quality rollups'.
Just popped-out of a tight spot. Came out mostly clean, too.
(Score: 5, Informative) by ElizabethGreene on Wednesday October 18 2017, @03:27PM (1 child)
It takes more than just updates to address this issue. The infeon chip's firmware needs to be updated (not a Microsoft update), and then you have to wipe and re-generate the keys stored in the TPM
Why is this a big deal?
Your Bitlocker (disk encryption) keys are stored in the TPM.
On a CA, the signing keys can (and should) be stored in the TPM.
On a system with CredentialGuard, the hypervisor keys are stored in the TPM.
On a system with a virtual smartcard, the keys are in the TPM.
It's a big freaking deal, and not enough people are paying attention to it.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012 [microsoft.com]
Here's the kicker. If you are using the TPM in another operating system then you have a problem too. It looks like libengine-tpm-openssl is now abandonware. What is a good way to reach out to the people using it and tell them they have a problem?
(Score: 0) by Anonymous Coward on Wednesday October 18 2017, @11:10PM
yes, its a big deal
the people most interested in securing themselves grumbled and have begun what is necessary--as you listed...
everyone else doesnt care or refuses to be inconvenienced. which really is what got us into many of the security problems to begin with.