4.6

CVE-2021-32033

Exploit

EPSS 0.15%
Veröffentlicht 16.06.2021 12:15:12
Zuletzt bearbeitet 21.11.2024 06:06:45
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Protectimus SLIM NFC 70 10.01 devices allow a Time Traveler attack in which attackers can predict TOTP passwords in certain situations. The time value used by the device can be set independently from the used seed value for generating time-based one-time passwords, without authentication. Thus, an attacker with short-time physical access to a device can set the internal real-time clock (RTC) to the future, generate one-time passwords, and reset the clock to the current time. This allows the generation of valid future time-based one-time passwords without having further access to the hardware token.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Protectimus ≫ Slim Nfc 70 Firmware Version10.01

Protectimus ≫ Slim Nfc 70 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.15%	0.362

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.6	0.9	3.6	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	1.9	3.4	2.9	AV:L/AC:M/Au:N/C:P/I:N/A:N

CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.

http://packetstormsecurity.com/files/163223/Protectimus-SLIM-NFC-Time-Manipulation.html

Third Party Advisory

Exploit

VDB Entry

http://seclists.org/fulldisclosure/2021/Jun/39

Third Party Advisory

Exploit

Mailing List

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-007.txt

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2021-32033

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-32033

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-32033

EUVD