Security Updates


January 12, 2018

Meltdown and Spectre microprocessor vulnerabilities

 

It has recently been announced that a generic weakness in the speculative execution or out of order execution mechanisms implemented by modern processors units (CPU) could allow unauthorized access to sensitive data through different attack scenarios as documented in CVE-2017-5715/CVE-2017-5753 (known as Spectre) and CVE-2017-5754 (known as Meltdown).
Whatever the exploitation scenario, this weakness requires use of specific vulnerable CPU's and for the CPU to execute a specific code sequence to access unauthorized memory space.

Gemalto has set up a dedicated team of security experts to work on the situation and immediately performed a full assessment of its portfolio of offers, services, and manufacturing environments.

The status regarding Gemalto's offers is the following:

  • Are not impacted by this weakness:
    • HSM, smart cards, hardware tokens, secure elements, IoT devices
  • Are not threatened by realistically exploitable scenarios:
    • Manufacturing & personalization services
    • Private cloud environments
    • Appliance based products
    • Software solutions
  • Are exposed and require patches or mitigations:
    • Services based on Public Cloud environments, and especially the segregation between tenants of shared hardware. All identified attack scenarios are reported as mitigated by our Cloud Service Providers.
    • Mobile Applications: the exposure varies depending on the mitigation provided by the device maker. This risk can be partially mitigated by the Gemalto software security mechanism.

We recommend that our Customers apply all relevant vendors' patches and mitigations. It is important to note that the patches supplied by OS vendors can impact the performance and the stability of the system. Gemalto recommends to test them and evaluate the performance impact on each platform (Hardware/OS) prior to roll out to production systems.

Gemalto CERT continues to closely monitor developments and will update this information as needed.

Customers who have more questions about these vulnerabilities should get in touch with their usual Gemalto contact.

 

​​November 14, 2017

CVE-2017-15361 ROCA Vulnerability - Infineon RSA library does not properly generate RSA key pairs

It has been announced that a potential security vulnerability affecting the Infineon software cryptographic library also known as ROCA (CVE-2017-15361) has been discovered.
The alleged issue is linked to the RSA on-board key generation function being part of a library optionally bundled with the chip by the silicon manufacturer. Infineon have stated that the chip hardware itself is not affected. The information related to this potential vulnerability has been shared with its customers. ​

As Gemalto sources certain products from Infineon, we have examined our entire product portfolio to identify those which use the affected software. Our thorough product analysis has concluded that:
  • In the vast majority of cases, the crypto libraries developed by the chip manufacturer are not included in our products. It is standard practice that Gemalto products use our in-house cryptographic libraries, developed by our internal R&D teams and cryptography experts. We can confirm that products containing Gemalto’s crypto libraries are immune to the attack.
  • We can confirm that none of our mobile, IoT or payment products and solutions are impacted in any way. For national eID cards, one customer only is using the Infineon crypto library. A solution to prevent any potential issues has been set up and implemented, this consists in a remote update of the eID cards. For ePassport programs, none. For our Enterprise portfolio, IDPrime.NET products are impacted, depending on customer configuration. https://safenet.gemalto.com/technical-support/security-updates/​

We have already contacted the customers that use these products and are currently working with them on remedial solutions. Gemalto takes this issue very seriously. We have set up a dedicated team of security experts to work on the situation and we will continue to monitor any developments.​​ ​