Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-15361

The Infineon RSA library 1.02.013 in Infineon Trusted Platform Module (TPM) firmware, such as versions before 0000000000000422 - 4.34, before 000000000000062b - 6.43, and before 0000000000008521 - 133.33, mishandles RSA key generation, which makes it easier for attackers to defeat various cryptographic protection mechanisms via targeted attacks, aka ROCA. Examples of affected technologies include BitLocker with TPM 1.2, YubiKey 4 (before 4.3.5) PGP key generation, and the Cached User Data encryption feature in Chrome OS.

Published

2017-10-16T17:29:00.243

Last Modified

2025-04-20T01:37:25.860

Status

Deferred

Source

[email protected]

Severity

CVSSv3.0: 5.9 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	infineon	trusted_platform_firmware	4.31	Yes
Operating System	infineon	trusted_platform_firmware	4.32	Yes
Operating System	infineon	trusted_platform_firmware	6.40	Yes
Operating System	infineon	trusted_platform_firmware	133.32	Yes
Hardware	acer	c720_chromebook	-	No
Hardware	acer	chromebase	-	No
Hardware	acer	chromebase_24	-	No
Hardware	acer	chromebook_11_c730	-	No
Hardware	acer	chromebook_11_c730e	-	No
Hardware	acer	chromebook_11_c735	-	No
Hardware	acer	chromebook_11_c740	-	No
Hardware	acer	chromebook_11_c771	-	No
Hardware	acer	chromebook_11_c771t	-	No
Hardware	acer	chromebook_11_n7_c731	-	No
Hardware	acer	chromebook_13_cb5-311	-	No
Hardware	acer	chromebook_14_cb3-431	-	No
Hardware	acer	chromebook_14_for_work_cp5-471	-	No
Hardware	acer	chromebook_15_cb3-531	-	No
Hardware	acer	chromebook_15_cb3-532	-	No
Hardware	acer	chromebook_15_cb5-571	-	No
Hardware	acer	chromebook_r11	-	No
Hardware	acer	chromebook_r13_cb5-312t	-	No
Hardware	acer	chromebox	-	No
Hardware	acer	chromebox_cxi2	-	No
Hardware	aopen	chromebase	-	No
Hardware	aopen	chromebase	-	No
Hardware	aopen	chromebox	-	No
Hardware	aopen	chromeboxi	-	No
Hardware	asi	chromebook	-	No
Hardware	asus	chromebit_cs10	-	No
Hardware	asus	chromebook_c200	-	No
Hardware	asus	chromebook_c201pa	-	No
Hardware	asus	chromebook_c202sa	-	No
Hardware	asus	chromebook_c300	-	No
Hardware	asus	chromebook_c300sa	-	No
Hardware	asus	chromebook_c301sa	-	No
Hardware	asus	chromebook_flip_c100pa	-	No
Hardware	asus	chromebook_flip_c302	-	No
Hardware	asus	chromebox_cn60	-	No
Hardware	asus	chromebox_cn62	-	No
Hardware	bobicus	chromebook_11	*	No
Hardware	ctl	j2_chromebook	-	No
Hardware	ctl	j4_chromebook	-	No
Hardware	ctl	j5_chromebook	-	No
Hardware	ctl	n6_chromebook	-	No
Hardware	ctl	nl61_chromebook	-	No
Hardware	dell	chromebook_11	-	No
Hardware	dell	chromebook_11_3120	-	No
Hardware	dell	chromebook_11_3189	-	No
Hardware	dell	chromebook_11_model_3180	-	No
Hardware	dell	chromebook_13_3380	-	No
Hardware	dell	chromebox	-	No
Hardware	edugear	chromebook_k	-	No
Hardware	edugear	chromebook_m	-	No
Hardware	edugear	chromebook_r	-	No
Hardware	edugear	cmt_chromebook	-	No
Hardware	edxis	chromebook	-	No
Hardware	edxis	education_chromebook	-	No
Hardware	epik	chromebook_elb1101	-	No
Hardware	google	pixel	-	No
Hardware	haier	chromebook_11	-	No
Hardware	haier	chromebook_11_c	-	No
Hardware	haier	chromebook_11_g2	-	No
Hardware	haier	chromebook_11e	-	No
Hardware	hexa	chromebook_pi	-	No
Hardware	hisense	chromebook_11	-	No
Hardware	hp	chromebook	-	No
Hardware	hp	chromebook_11-vxxx	-	No
Hardware	hp	chromebook_11_1100-1199	-	No
Hardware	hp	chromebook_11_2000-2099	-	No
Hardware	hp	chromebook_11_2100-2199	-	No
Hardware	hp	chromebook_11_2200-2299	-	No
Hardware	hp	chromebook_11_g1	-	No
Hardware	hp	chromebook_11_g2	-	No
Hardware	hp	chromebook_11_g3	-	No
Hardware	hp	chromebook_11_g4\/g4_ee	-	No
Hardware	hp	chromebook_11_g5	-	No
Hardware	hp	chromebook_11_g5_ee	-	No
Hardware	hp	chromebook_13_g1	-	No
Hardware	hp	chromebook_14	-	No
Hardware	hp	chromebook_14_ak000-099	-	No
Hardware	hp	chromebook_14_g3	-	No
Hardware	hp	chromebook_14_g4	-	No
Hardware	hp	chromebook_14_x000-x999	-	No
Hardware	hp	chromebox_cb1-\(000-099\)	-	No
Hardware	hp	chromebox_g1	-	No
Hardware	lenovo	100s_chromebook	-	No
Hardware	lenovo	n20_chromebook	-	No
Hardware	lenovo	n21_chromebook	-	No
Hardware	lenovo	n22_chromebook	-	No
Hardware	lenovo	n23_chromebook	-	No
Hardware	lenovo	n23_flex_11_chromebook	-	No
Hardware	lenovo	n23_yoga_11_chromebook	-	No
Hardware	lenovo	n42_chromebook	-	No
Hardware	lenovo	thinkcentre_chromebox	-	No
Hardware	lenovo	thinkpad_11e_chromebook	-	No
Hardware	lenovo	thinkpad_13_chromebook	-	No
Hardware	lg	chromebase_22cb25s	-	No
Hardware	lg	chromebase_22cv241	-	No
Hardware	medion	akoya_s2013	-	No
Hardware	medion	chromebook_s2015	-	No
Hardware	mercer	chromebook	-	No
Hardware	mercer	v2_chromebook	-	No
Hardware	ncomputing	chromebook_cx100	-	No
Hardware	nexian	chromebook	-	No
Hardware	pcmerge	chromebook_pcm-116t-432b	-	No
Hardware	poin2	chromebook_11	-	No
Hardware	poin2	chromebook_14	-	No
Hardware	positivo	chromebook_ch1190	-	No
Hardware	prowise	entry_line_chromebook	-	No
Hardware	prowise	proline_chromebook	-	No
Hardware	rgs	education_chromebook	-	No
Hardware	samsung	chromebook_2_11	-	No
Hardware	samsung	chromebook_2_11_xe500c12	-	No
Hardware	samsung	chromebook_2_13	-	No
Hardware	samsung	chromebook_3	-	No
Hardware	samsung	chromebook_plus	-	No
Hardware	samsung	chromebook_pro	-	No
Hardware	sector-five	e1_rugged_chromebook	-	No
Hardware	senkatel	c1101_chromebook	-	No
Hardware	toshiba	chromebook	-	No
Hardware	toshiba	chromebook_2	-	No
Hardware	toshiba	chromebook_2	-	No
Hardware	true	idc_chromebook	-	No
Hardware	true	idc_chromebook_11	-	No
Hardware	videonet	chromebook	-	No
Hardware	videonet	chromebook_bl10	-	No
Hardware	viglen	chromebook_11	-	No
Hardware	viglen	chromebook_360	-	No
Hardware	xolo	chromebook	-	No
Application	infineon	rsa_library	≤ 1.02.013	Yes

References

http://support.lenovo.com/us/en/product_security/LEN-15552 Mitigation, Third Party Advisory ([email protected])
http://www.securityfocus.com/bid/101484 Third Party Advisory, VDB Entry ([email protected])
https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/ Issue Tracking, Third Party Advisory ([email protected])
https://blog.cr.yp.to/20171105-infineon.html ([email protected])
https://cert-portal.siemens.com/productcert/pdf/ssa-470231.pdf ([email protected])
https://crocs.fi.muni.cz/public/papers/rsa_ccs17 Issue Tracking, Mitigation, Third Party Advisory ([email protected])
https://dan.enigmabridge.com/roca-vulnerability-impact-on-gemalto-idprime-net-smart-cards/ Issue Tracking, Third Party Advisory ([email protected])
https://github.com/crocs-muni/roca Mitigation, Third Party Advisory ([email protected])
https://github.com/iadgov/Detect-CVE-2017-15361-TPM Mitigation, Third Party Advisory ([email protected])
https://ics-cert.us-cert.gov/advisories/ICSA-18-058-01 ([email protected])
https://keychest.net/roca Issue Tracking, Mitigation, Third Party Advisory ([email protected])
https://monitor.certipath.com/rsatest Mitigation, Third Party Advisory ([email protected])
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012 Issue Tracking, Patch, Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20171024-0001/ ([email protected])
https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update Issue Tracking, Mitigation, Patch, Third Party Advisory ([email protected])
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03789en_us ([email protected])
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03801en_us ([email protected])
https://www.infineon.com/cms/en/product/promopages/tpm-update/?redirId=59160 Mitigation, Vendor Advisory ([email protected])
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00104.html ([email protected])
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00148.html ([email protected])
https://www.kb.cert.org/vuls/id/307015 Issue Tracking, Mitigation, Third Party Advisory, US Government Resource ([email protected])
https://www.yubico.com/support/security-advisories/ysa-2017-01/ Mitigation, Third Party Advisory ([email protected])
http://support.lenovo.com/us/en/product_security/LEN-15552 Mitigation, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/101484 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/ Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://blog.cr.yp.to/20171105-infineon.html (af854a3a-2127-422b-91ae-364da2661108)
https://cert-portal.siemens.com/productcert/pdf/ssa-470231.pdf (af854a3a-2127-422b-91ae-364da2661108)
https://crocs.fi.muni.cz/public/papers/rsa_ccs17 Issue Tracking, Mitigation, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://dan.enigmabridge.com/roca-vulnerability-impact-on-gemalto-idprime-net-smart-cards/ Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/crocs-muni/roca Mitigation, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/iadgov/Detect-CVE-2017-15361-TPM Mitigation, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://ics-cert.us-cert.gov/advisories/ICSA-18-058-01 (af854a3a-2127-422b-91ae-364da2661108)
https://keychest.net/roca Issue Tracking, Mitigation, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://monitor.certipath.com/rsatest Mitigation, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012 Issue Tracking, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20171024-0001/ (af854a3a-2127-422b-91ae-364da2661108)
https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update Issue Tracking, Mitigation, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03789en_us (af854a3a-2127-422b-91ae-364da2661108)
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03801en_us (af854a3a-2127-422b-91ae-364da2661108)
https://www.infineon.com/cms/en/product/promopages/tpm-update/?redirId=59160 Mitigation, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00104.html (af854a3a-2127-422b-91ae-364da2661108)
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00148.html (af854a3a-2127-422b-91ae-364da2661108)
https://www.kb.cert.org/vuls/id/307015 Issue Tracking, Mitigation, Third Party Advisory, US Government Resource (af854a3a-2127-422b-91ae-364da2661108)
https://www.yubico.com/support/security-advisories/ysa-2017-01/ Mitigation, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)