CVE-2004-0320

CVE-2004-0320 concerns nCipher Hardware Security Modules (HSM) versions 1.67.x–1.99.x. It describes a local-access flaw where an attacker can access secrets stored in the module’s run-time memory via certain sequences of commands. The publicly stated impact is partial confidentiality with local a...

CVE-2004-0320

Unknown vulnerability in nCipher Hardware Security Modules HSM 1.67.x through 1.99.x allows local users to access secrets stored in the module's run-time memory via certain sequences of commands...

nCipher netHSM information leak

Pass phrases entered by means of the nCipher netHSM front panel, either using the built in thumbwheel or using a directly attached keyboard, are exposed in the netHSM system log...

nCipher HSM information leak

Under special conditions it's possible access private application data, including keys...

CVE-2004-0063

The SPPVerifyPVV function in nCipher payShield SPP library 1.3.12, 1.5.18 and 1.6.18 returns a StatusOK value even if the HSM returns a different status code, which could cause applications to make incorrect security-critical decisions, e.g. by accepting an invalid PIN number...

CVE-2003-1417

nCipher Support Software 6.00, when using generatekey KeySafe to import keys, does not delete the temporary copies of the key, which may allow local users to gain access to the key by reading the 1 key.pem or 2 key.der files...

CVE-2002-0941

The CVE-2002-0941 entry concerns the ConsoleCallBack class for nCipher running under JRE 1.4.0 and 1.4.0_01, used by the TrustedCodeTool and possibly other applications. The issue is a passphrase leak that occurs when a user aborts an application prompting for the passphrase, which could allow an...

CVE-2002-0941

The ConsoleCallBack class for nCipher running under JRE 1.4.0 and 1.4.001, as used by the TrustedCodeTool and possibly other applications, may leak a passphrase when the user aborts an application that is prompting for the passphrase, which could allow attackers to gain privileges...

Information leakage via key file duplication during nCipher import

generatekey utility creates temporary PEM file and fails to delete it...

nCipher Advisory #7: Unexpected copies of imported software keys

nCipher Security Advisory No. 7 Unexpected duplicates of imported software based keys ----------------------------------------------------- SUMMARY ------- When either the command line utility generatekey or the KeySafe graphical application is used to import a software based key into an nCipher...

Weak nCipher PKCS#11 encryption

Library error may lead to uncrypted key in certificate...

CVE-2002-0941

The ConsoleCallBack class for nCipher running under JRE 1.4.0 and 1.4.001, as used by the TrustedCodeTool and possibly other applications, may leak a passphrase when the user aborts an application that is prompting for the passphrase, which could allow attackers to gain privileges...

CVE-2002-0939

The Install Wizard for nCipher MSCAPI CSP 5.50 does not use Operator Card Set protected keys when the user requests them but does not generate the Operator Card Set, which results in a lower protection level than specified by the user module protection only...

CVE-2002-0940

domesticinstall.exe for nCipher MSCAPI CSP 5.50 and 5.54 does not use Operator Card Set protected keys when the user requests them but does not generate the Operator Card Set, which results in a lower protection level than specified by the user module protection only...

CVE-2002-0939

The Install Wizard for nCipher MSCAPI CSP 5.50 does not use Operator Card Set protected keys when the user requests them but does not generate the Operator Card Set, which results in a lower protection level than specified by the user module protection only...

CVE-2002-0940

domesticinstall.exe for nCipher MSCAPI CSP 5.50 and 5.54 does not use Operator Card Set protected keys when the user requests them but does not generate the Operator Card Set, which results in a lower protection level than specified by the user module protection only...

CVE-2002-0940

This CVE concerns domesticinstall.exe for nCipher MSCAPI CSP 5.50 and 5.54, where the software does not use Operator Card Set protected keys when the user requests them if the Operator Card Set has not been generated. The outcome is a lower protection level than the user-specified module protecti...

CVE-2002-0939

The CVE applies to the Install Wizard for nCipher MSCAPI CSP 5.50. The issue is that when a user requests Operator Card Set protected keys but does not actually generate the Operator Card Set, the wizard ends up using only module protection rather than the higher protection level that the user in...

CVE-2002-1446

The error checking routine used for the CVerify call on a symmetric verification key in the nCipher PKCS11 library 1.2.0 and later returns the CKROK status even when it detects an invalid signature, which could allow remote attackers to modify or forge messages...

nCipher Advisory #4: Console Java apps can leak passphrases on Windows

nCipherTM Security Advisory No. 4 Console Java applications can leak passphrases on Windows ========================================================= SUMMARY ======= In certain circumstances, JavaTM applications using the standard nCipher ConsoleCallBack class on Windows NT/2000 can be made to le...