Skip to main content

Hardware Appliance Security Issue: Slots Configured for Smartcard Authentication can be Activated by Password Alone - News / PrimeKey Announcements - PrimeKey Support

Nov 11 2021

Hardware Appliance Security Issue: Slots Configured for Smartcard Authentication can be Activated by Password Alone

Authors list

Hardware Appliance Security Issue: Slots Configured for Smartcard Authentication can be Activated by Password Alone

Dear Customers and Partners,

PrimeKey has released an update to address a vulnerability in Hardware appliance reported by a customer.

As a part of PrimeKey's new policy, we will be submitting this issue publicly as a CVE two weeks after alerting customers(Two weeks after the release of Hardware Appliance 3.9.2).

Issue Summary

When using smart card activated slots or when a smart card is required to start the application on PKCS#11 R2 mode, the internal HSM was insecurely configured in prior firmware releases.

The insecure configuration of the HSM means that the HSM did not enforce the smart card requirement and that only the authentication code was checked. In recent Hardware Appliance firmware versions, the smart card check can be circumvented (while the correct authentication code is still required).

To check the PKCS#11 variant and HSM smart card activations of your installation, navigate to the Hardware Appliance WebConf HSM tab. The overview displays the PKCS#11 Variant used and if HSM Smart Card Activations is enabled for one of the slots or for boot, see HSM.

Severity

  • High - correct authentication code is still required.

Who is not affected

  • Installations that use PKCS#11 R1 are not affected.
  • Installations that neither use smart cards for activating slots nor on boot or application start are not affected.
  • Installations that use smart cards only for backup encryption by using a Master Backup Key (MBK) are not affected.

To check the PKCS#11 variant and HSM smart card activations of your installation, navigate to the Hardware Appliance WebConf HSM tab.

Who is potentially affected

Smart card activated slots in PKCS#11 R2 mode have been supported since 3.3.0, all of these versions are affected.

To check the PKCS#11 variant and HSM smart card activations of your installation, navigate to the Hardware Appliance WebConf HSM tab.

Mitigation

To resolve the issue, Hardware Appliance version 3.9.2 or later must be installed, and then the HSM must be reconfigured. The HSM is reconfigured using the WebConf Wizard to restore system from backup or connect to cluster.

Contact us:


support@primekey.com


Global support number: +1 251 317 6984