6.8
CVE-2020-27208
- EPSS 0.33%
- Veröffentlicht 21.05.2021 12:15:07
- Zuletzt bearbeitet 21.11.2024 05:20:51
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginThe flash read-out protection (RDP) level is not enforced during the device initialization phase of the SoloKeys Solo 4.0.0 & Somu and the Nitrokey FIDO2 token. This allows an adversary to downgrade the RDP level and access secrets such as private ECC keys from SRAM via the debug interface.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Solokeys ≫ Solo Firmware Version4.0.0
Solokeys ≫ Somu Firmware Version-
Nitrokey ≫ Fido2 Firmware Version-
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.33% | 0.243 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.8 | 0.9 | 5.9 |
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 4.6 | 3.9 | 6.4 |
AV:L/AC:L/Au:N/C:P/I:P/A:P
|
CWE-326 Inadequate Encryption Strength
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
https://www.aisec.fraunhofer.de/en/FirmwareProtection.html
https://eprint.iacr.org/2021/640
https://www.aisec.fraunhofer.de/de/das-institut/wissenschaftliche-exzellenz/security-and-trust-in-open-source-security-tokens.html
https://github.com/solokeys/solo/commit/a9c02cd354f34b48195a342c7f524abdef5cbcec
https://solokeys.com
https://twitter.com/SoloKeysSec