Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/17/2017
04:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Factorization Bug Exposes Millions Of Crypto Keys To 'ROCA' Exploit

Products from Lenovo, HPE, Google, Microsoft, and others impacted by flaw in Infineon chipset.

The set of key reinstallation vulnerabilities disclosed Monday in the WPA2 protocol is actually the second disclosure in recent days to hammer home just how difficult it can be getting cryptography right.

Last week a team of security researchers from Masaryk University in the Czech Republic and other organizations disclosed a bug in a Trusted Platform Module (TPM) chipset from Infineon Technologies AG that some believe is worse than the KRACK WiFi flaws.

The factorization vulnerability gives attackers a way to recover the private half of any RSA encryption key generated by the chipset, using only the public key. Unlike the KRACK flaws, an attacker does not need to be close to a vulnerable device or have access to it, in order to exploit the flaw. Any RSA key generated by a vulnerable Infineon chipset is open to attack, the researchers said in an alert.

"It's a huge deal in terms of the integrity of the infrastructure. Once the private key is derived, integrity is lost." says Scott Petry CEO and Founder of Authentic8.

"The practical nature of the vulnerability is a function of how broad the TPM installed base is and whether an attacker can determine a vulnerable private key from the public part — in other words, can an attacker determine if a key was generated by the chipset or not," he says.

According to the researchers, the bug makes factorization of 1024 and 2048 bit key lengths practically possible in terms of time and cost. "The worst cases for the factorization of 1024-bit and 2048-bit keys are less than 3 CPU-months and 100 CPU-years, respectively, on a single core of a common recent CPU, while the expected time is half of that of the worst case," the researchers said.

Using multiple CPUs to do the factorization can reduce the time significantly. At current prices, an attacker would spend about $76 to do the factorization for a 1024-bit key using an Amazon AWS c4 instance and roughly $40,000 to do the same with a 2,048-bit key.  Currently, at least 760,000 keys generated by the chipset are confirmed to be vulnerable. But it is quite possible that between two and three magnitudes more keys are broken.

The researchers will present a research paper titled "The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli' (ROCA) that will describe the attack more in detail Nov. 2 at the ACM CCS conference in Dallas.

The ROCA issue impacts any product in which the buggy chipset is integrated. The list includes products from Google, Microsoft, HPE, Lenovo and Fujitsu as well as trusted boot devices, authentication tokens and software package signing tools from other vendors. All of the vendors have released updates and advice to mitigate the issue. Infineon itself was informed about the bug in February and given time to address the issue before public disclosure. The company has developed firmware updates and made it available to OS and device makers.

"Cryptography is undoubtedly the most difficult problem to get right when it comes to information security," says Sean Dillon, senior security researcher at RiskSense.

If the number of cryptographic weaknesses that have been discovered in once widely trusted algorithms in recent years is any indication, more related vulnerabilities continue to be found for years to come, he predicts.

Vulnerabilities such as the ROCA flaw suggest the use of quantum computing and large prime factorization is not just a research concept, he says. Rather they portend "practical attack(s) that can break the entire trust model, even amongst big players such as governments and financial institutions," Dillon says.

Related content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5425
PUBLISHED: 2020-10-31
Single Sign-On for Vmware Tanzu all versions prior to 1.11.3 ,1.12.x versions prior to 1.12.4 and 1.13.x prior to 1.13.1 are vulnerable to user impersonation attack.If two users are logged in to the SSO operator dashboard at the same time, with the same username, from two different identity provider...
CVE-2020-15703
PUBLISHED: 2020-10-31
There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivile...
CVE-2020-5991
PUBLISHED: 2020-10-30
NVIDIA CUDA Toolkit, all versions prior to 11.1.1, contains a vulnerability in the NVJPEG library in which an out-of-bounds read or write operation may lead to code execution, denial of service, or information disclosure.
CVE-2020-15273
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. The issue affects the following components: Edit feed settings, Edit widget area, Sub site new registration, New category registration. Arbitrary JavaScript may be executed by entering specific characters in the account that can ac...
CVE-2020-15276
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. Arbitrary JavaScript may be executed by entering a crafted nickname in blog comments. The issue affects the blog comment component. It is fixed in version 4.4.1.