Ask a Question

Alert ID : ALERT2444

INFORMATIONAL: Infineon Technologies Hardware token vulnerability



Symantec is aware of the vulnerability reported in ROCA: Vulnerable RSA generation (CVE-2017-15361). As mentioned in the report, the security vulnerability lies with the implementation of the RSA key pair generation from a cryptographic library on some Infineon chips. Although the reported vulnerability was not with certificate issuance, digital certificates may be impacted if the associated implementation of the RSA key pair generation contains the vulnerability.

At this time we can confirm that Symantec systems, including our public roots, do not have the reported vulnerability. As a security precaution, we have scanned the certificates in our certificate store for potentially vulnerable keys and are reaching out to the small number of impacted customers. We will continue to scan new certificates, and implement steps for early detection.

If you do have impacted certificates, Symantec recommends the following remediation steps:

  1. Identify the PIV Card, Physical Token, derived PIV Credential, or other device that generated the key pair in your environment of which the public key is flagged as at-risk. The only reliable way to confirm the vulnerability is to generate an RSA key pair on the device and test the public key using the provided tools in the ROCA disclosure announcement.
  2. Once confirmed, contact your vendor to obtain replacements that have been specifically verified to produce a secure key pair.
  3. Create a plan to replace all PIV Card, Physical Tokens, derived PIV Credentials, or other devices containing the flagged public key.
  4. Generate new key pair after device replacement.
  5. Get new certificates with the new public keys, and activate for use.
  6. Revoke impacted digital certificates.