Hardware Appliance Security Issue: Slots Configured for Smartcard Authentication can be Activated by Password Alone
Dear Customers and Partners,
PrimeKey has released an update to address a vulnerability in Hardware appliance reported by a customer.
As a part of PrimeKey's new policy, we will be submitting this issue publicly as a CVE two weeks after alerting customers(Two weeks after the release of Hardware Appliance 3.9.2).
Issue Summary
When using smart card activated slots or when a smart card is required to start the application on PKCS#11 R2 mode, the internal HSM was insecurely configured in prior firmware releases.
The insecure configuration of the HSM means that the HSM did not enforce the smart card requirement and that only the authentication code was checked. In recent Hardware Appliance firmware versions, the smart card check can be circumvented (while the correct authentication code is still required).
To check the PKCS#11 variant and HSM smart card activations of your installation, navigate to the Hardware Appliance WebConf HSM tab. The overview displays the PKCS#11 Variant used and if HSM Smart Card Activations is enabled for one of the slots or for boot, see HSM.
Severity
- High - correct authentication code is still required.
Who is not affected
- Installations that use PKCS#11 R1 are not affected.
- Installations that neither use smart cards for activating slots nor on boot or application start are not affected.
- Installations that use smart cards only for backup encryption by using a Master Backup Key (MBK) are not affected.
To check the PKCS#11 variant and HSM smart card activations of your installation, navigate to the Hardware Appliance WebConf HSM tab.
Who is potentially affected
Smart card activated slots in PKCS#11 R2 mode have been supported since 3.3.0, all of these versions are affected.
To check the PKCS#11 variant and HSM smart card activations of your installation, navigate to the Hardware Appliance WebConf HSM tab.
Mitigation
To resolve the issue, Hardware Appliance version 3.9.2 or later must be installed, and then the HSM must be reconfigured. The HSM is reconfigured using the WebConf Wizard to restore system from backup or connect to cluster.