Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
akamaiblogAkamai InfoSecAKAMAIBLOG:2FB7775A2DCF6FD1352A30E49445AC5F
HistoryOct 25, 2017 - 10:55 a.m.

What You Need To Know About The "ROCA" vulnerability

2017-10-2510:55:00
Akamai InfoSec
feedproxy.google.com
33
JSON

By Daniel Franke, Infosec Researcher

Akamai is aware of the recently-disclosed β€œROCA” vulnerability in cryptographic firmware used in products made by Infineon Technologies. A bug in the firmware’s prime-search algorithm used for RSA key generation results in RSA keys that are relatively cheap and inexpensive to factor. The bug impacts Infineon Trusted Platform Modules (TPMs) as well as many smartcards and Hardware Security Modules (HSMs) that use Infineon chips but do not carry Infineon branding, notably including the popular YubiKey 4. In some cases, it may be possible to patch affected devices with an OEM-supplied firmware update. In other cases, the hardware must be replaced.

Any RSA key generated on a vulnerable device must be considered compromised and be revoked and rotated. Keys for algorithms other than RSA, such as OpenSSH, are unaffected. RSA keys generated in software and then transferred onto vulnerable devices are also unaffected. You can test whether a key is vulnerable by uploading the public key to https://keychest.net/roca.

Akamai has determined that no customer-facing systems are impacted by this vulnerability; in particular, customer TLS certificates are unaffected and no action is needed.

JSON