Alert ID : ALERT2439
Symantec is aware of the vulnerability reported in ROCA: Vulnerable RSA generation (CVE-2017-15361). As mentioned in the report, the security vulnerability lies with the implementation of the RSA key pair generation from a cryptographic library on some Infineon chips. Although the reported vulnerability was not with certificate issuance, digital certificates may be impacted if the associated implementation of the RSA key pair generation contains the vulnerability.
At this time we can confirm that Symantec systems, including our public roots, do not have the reported vulnerability. As a security precaution, we have scanned the certificates in our certificate store for potentially vulnerable keys and are reaching out to the small number of impacted customers. We will continue to scan new certificates, and implement steps for early detection.
If you do have impacted certificates, Symantec recommends the following remediation steps: