Bug 1186848 - (CVE-2020-27208) VUL-0: CVE-2020-27208: solo: downgrade the RDP level and access secrets such as private ECC keys from SRAM via the debug interface
(CVE-2020-27208)
VUL-0: CVE-2020-27208: solo: downgrade the RDP level and access secrets such ...
Status: IN_PROGRESS
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.2
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Matthias Bach
Security Team bot
https://smash.suse.de/issue/300545/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-06-04 09:04 UTC by Gianluca Gabrielli
Modified: 2021-07-10 13:20 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-06-04 09:04:15 UTC
The flash read-out protection (RDP) level is not enforced during the device
initialization phase of the SoloKeys Solo 4.0.0 & Somu and the Nitrokey FIDO2
token. This allows an adversary to downgrade the RDP level and access secrets
such as private ECC keys from SRAM via the debug interface.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27208
http://www.cvedetails.com/cve/CVE-2020-27208/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27208
https://github.com/solokeys/solo/commit/a9c02cd354f34b48195a342c7f524abdef5cbcec
https://www.aisec.fraunhofer.de/de/das-institut/wissenschaftliche-exzellenz/security-and-trust-in-open-source-security-tokens.html
https://twitter.com/SoloKeysSec
https://www.aisec.fraunhofer.de/en/FirmwareProtection.html
https://solokeys.com
https://eprint.iacr.org/2021/640
Comment 1 Gianluca Gabrielli 2021-06-04 09:04:51 UTC
Affected package:
 - openSUSE:Factory/solo

Please upgrade it to the latest version.
Comment 2 Matthias Bach 2021-06-04 13:34:39 UTC
Technically nothing in the openSUSE package should be affected because we only package the UDEV rules and the issue is in the firmware, which is in the same repo but not part of anything we ship in openSUSE.

I'll upgrade the package anyhow to avoid any confusion about whether there might be a vulnerability or not.
Comment 3 OBSbugzilla Bot 2021-06-04 14:50:03 UTC
This is an autogenerated message for OBS integration:
This bug (1186848) was mentioned in
https://build.opensuse.org/request/show/897463 Factory / solo
Comment 4 OBSbugzilla Bot 2021-06-05 09:30:11 UTC
This is an autogenerated message for OBS integration:
This bug (1186848) was mentioned in
https://build.opensuse.org/request/show/897653 15.2+Backports:SLE-15-SP2+Backports:SLE-15-SP3 / solo
https://build.opensuse.org/request/show/897654 15.2+Backports:SLE-15-SP2+Backports:SLE-15-SP3 / solo
https://build.opensuse.org/request/show/897655 15.2+Backports:SLE-15-SP2+Backports:SLE-15-SP3 / solo
Comment 5 Swamp Workflow Management 2021-07-10 13:20:07 UTC
openSUSE-SU-2021:1019-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1186848
CVE References: CVE-2020-27208
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    solo-4.1.2-lp152.2.3.1
openSUSE Backports SLE-15-SP3 (src):    solo-4.1.2-bp153.2.3.1
openSUSE Backports SLE-15-SP2 (src):    solo-4.1.2-bp152.3.3.1