This maintenance release resolves a security issue when using smart cards to additionally secure key material in PKCS#11 R2 mode.
- Slots Configured for Smartcard Authentication can be Activated by Password Alone
When using smart card activated slots or when a smart card is required to start the application on PKCS#11 R2 mode, the internal HSM was insecurely configured in prior firmware releases.
The insecure configuration of the HSM means that the HSM did not enforce the smart card requirement and that only the authentication code was checked. In recent Hardware Appliance firmware versions, the smart card check can be circumvented (while the correct authentication code is still required).
To check the PKCS#11 variant and HSM smart card activations of your installation, navigate to the Hardware Appliance WebConf HSM tab. The overview displays the PKCS#11 Variant used and if HSM Smart Card Activations is enabled for one of the slots or for boot, see HSM.
Please view the full Release Notes for EJBCA Hardware Appliance here
and for SignServer Hardware Appliance here.