CWE
203
Advisory Published
Updated

CVE-2019-15809

First published: Thu Oct 03 2019(Updated: )

Smart cards from the Athena SCS manufacturer, based on the Atmel Toolbox 00.03.11.05 and the AT90SC chip, contain a timing side channel in ECDSA signature generation. This allows a local attacker, able to measure the duration of hundreds to thousands of signing operations, to compute the private key used. The issue occurs because the Atmel Toolbox 00.03.11.05 contains two versions of ECDSA signature functions, described as fast and secure, but the affected cards chose to use the fast version, which leaks the bit length of the random nonce via timing. This affects Athena IDProtect 010b.0352.0005, Athena IDProtect 010e.1245.0002, Athena IDProtect 0106.0130.0401, Athena IDProtect 010e.1245.0002, Valid S/A IDflex V 010b.0352.0005, SafeNet eToken 4300 010e.1245.0002, TecSec Armored Card 010e.0264.0001, and TecSec Armored Card 108.0264.0001.

Credit: cve@mitre.org

Affected SoftwareAffected VersionHow to fix
Microchip Atmel Toolbox=00.03.11.05
Athena-scs Idprotect=010b.0352.0005
Athena-scs Idprotect=010e.1245.0002
Athena-scs Idprotect=0106.0130.0401
Cryptsoft S\/a Idflex V=010b.0352.0005
TecSec Armored Card=010e.0264.0001
TecSec Armored Card=108.0264.0001
Thalesgroup Etoken 4300=010e.1245.0002

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is CVE-2019-15809?

    CVE-2019-15809 is a vulnerability in smart cards from the Athena SCS manufacturer, based on the Atmel Toolbox 00.03.11.05 and the AT90SC chip, that allows a local attacker to compute the private key by exploiting a timing side channel in ECDSA signature generation.

  • What is the severity level of CVE-2019-15809?

    CVE-2019-15809 has a severity level of medium (4.7).

  • How does CVE-2019-15809 affect the affected software?

    CVE-2019-15809 affects the following software versions: Microchip Atmel Toolbox 00.03.11.05, Athena-scs Idprotect 010b.0352.0005, Athena-scs Idprotect 010e.1245.0002, Athena-scs Idprotect 0106.0130.0401, Cryptsoft S/a Idflex V 010b.0352.0005, TecSec Armored Card 010e.0264.0001, TecSec Armored Card 108.0264.0001, Thalesgroup Etoken 4300 010e.1245.0002.

  • How can a local attacker exploit CVE-2019-15809?

    A local attacker can exploit CVE-2019-15809 by measuring the duration of hundreds to thousands of signing operations to compute the private key of the smart cards.

  • Where can I find more information about CVE-2019-15809?

    More information about CVE-2019-15809 can be found at the following references: http://www.openwall.com/lists/oss-security/2019/10/02/2, https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/details?source=ECDSA&number=214, https://eprint.iacr.org/2011/232.pdf

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203