CVE-2017-15361
moderate-risk
Published 2017-10-16
The Infineon RSA library 1.02.013 in Infineon Trusted Platform Module (TPM) firmware, such as versions before 0000000000000422 - 4.34, before 000000000000062b - 6.43, and before 0000000000008521 - 133.33, mishandles RSA key generation, which makes it easier for attackers to defeat various cryptographic protection mechanisms via targeted attacks, aka ROCA. Examples of affected technologies include BitLocker with TPM 1.2, YubiKey 4 (before 4.3.5) PGP key generation, and the Cached User Data encryption feature in Chrome OS.
Do I need to act?
!
73.4% chance of exploitation in next 30 days
EPSS score — higher than 27% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10
Medium
NETWORK
/ HIGH complexity
Affected Products (5)
Affected Vendors
References (44)
Third Party Advisory
http://www.securityfocus.com/bid/101484
Issue Tracking
https://crocs.fi.muni.cz/public/papers/rsa_ccs17
Mitigation
https://github.com/crocs-muni/roca
Issue Tracking
https://keychest.net/roca
Mitigation
https://monitor.certipath.com/rsatest
and 24 more references
49
/ 100
moderate-risk
Severity
18/34 · Moderate
Exploitability
19/34 · Moderate
Exposure
12/34 · Low