CVE-2020-27208

The flash read-out protection (RDP) level is not enforced during the device initialization phase of the SoloKeys Solo 4.0.0 & Somu and the Nitrokey FIDO2 token. This allows an adversary to downgrade the RDP level and access secrets such as private ECC keys from SRAM via the debug interface.

CVSS v3.0 6.8 MEDIUM
CVSS v2.0 4.6 MEDIUM

6.8^/10

CVSS v3.0 : MEDIUM

Vector :

Exploitability : 0.9 / Impact : 5.9

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

4.6^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 3.9 / Impact : 6.4

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://twitter.com/SoloKeysSec	Product
https://solokeys.com	Product
https://eprint.iacr.org/2021/640	Third Party Advisory
https://www.aisec.fraunhofer.de/en/FirmwareProtection.html	Exploit Third Party Advisory
https://github.com/solokeys/solo/commit/a9c02cd354f34b48195a342c7f524abdef5cbcec	Patch Third Party Advisory
https://www.aisec.fraunhofer.de/de/das-institut/wissenschaftliche-exzellenz/security-and-trust-in-open-source-security-tokens.html	Third Party Advisory

Advertisement

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:solokeys:solo_firmware:4.0.0:*:*:*:*:*:*:*

cpe:2.3:h:solokeys:solo:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:solokeys:somu_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:solokeys:somu:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:nitrokey:fido2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:nitrokey:fido2:-:*:*:*:*:*:*:*

Information

Published : 2021-05-21 05:15

Updated : 2021-05-28 08:41

NVD link : CVE-2020-27208

Mitre link : CVE-2020-27208

JSON object : View

CWE

CWE-326

Inadequate Encryption Strength

Advertisement

Products Affected

solokeys

solo
somu_firmware
solo_firmware
somu

nitrokey

fido2
fido2_firmware

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://twitter.com/SoloKeysSec", "name": "https://twitter.com/SoloKeysSec", "tags": ["Product"], "refsource": "MISC"}, {"url": "https://solokeys.com", "name": "https://solokeys.com", "tags": ["Product"], "refsource": "MISC"}, {"url": "https://eprint.iacr.org/2021/640", "name": "https://eprint.iacr.org/2021/640", "tags": ["Third Party Advisory"], "refsource": "MISC"}, {"url": "https://www.aisec.fraunhofer.de/en/FirmwareProtection.html", "name": "https://www.aisec.fraunhofer.de/en/FirmwareProtection.html", "tags": ["Exploit", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/solokeys/solo/commit/a9c02cd354f34b48195a342c7f524abdef5cbcec", "name": "https://github.com/solokeys/solo/commit/a9c02cd354f34b48195a342c7f524abdef5cbcec", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://www.aisec.fraunhofer.de/de/das-institut/wissenschaftliche-exzellenz/security-and-trust-in-open-source-security-tokens.html", "name": "https://www.aisec.fraunhofer.de/de/das-institut/wissenschaftliche-exzellenz/security-and-trust-in-open-source-security-tokens.html", "tags": ["Third Party Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The flash read-out protection (RDP) level is not enforced during the device initialization phase of the SoloKeys Solo 4.0.0 & Somu and the Nitrokey FIDO2 token. This allows an adversary to downgrade the RDP level and access secrets such as private ECC keys from SRAM via the debug interface."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-326"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2020-27208", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 4.6, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "acInsufInfo": false, "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.9}}, "publishedDate": "2021-05-21T12:15Z", "configurations": {"nodes": [{"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:solokeys:solo_firmware:4.0.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:solokeys:solo:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:solokeys:somu_firmware:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:solokeys:somu:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:nitrokey:fido2_firmware:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:nitrokey:fido2:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2021-05-28T15:41Z"}