Ledger to Discover HSM Vulnerability

HSM is an external device designed to store public and private keys used to generate digital signatures and to encrypt data, used by banks, exchanges, etc
10 June 2019   1252

A group of researchers from Ledger identified several vulnerabilities in the Hardware Security Module (HSM) devices, which can be used to extract keys or perform a remote attack to replace the firmware of an HSM device. The problem report is currently available only in French, the English-language report is scheduled to be published in August during the Blackhat USA 2019 conference. HSM is a specialized external device designed to store public and private keys used to generate digital signatures and to encrypt data.

HSM allows you to significantly increase protection, as it completely isolates keys from the system and applications, only by providing an API to perform basic cryptographic primitives implemented on the device side. Typically, HSM is used in areas where you need to provide the highest protection, for example, in banks, cryptocurrency exchanges, certification centers for checking and generating certificates and digital signatures.

The proposed attack methods allow an unauthenticated user to gain complete control over the contents of the HSM, including extracting all the cryptographic keys and administrative credentials stored on the device. The problems are caused by a buffer overflow in the internal PKCS # 11 command handler and an error in the implementation of the cryptographic protection of the firmware, which bypasses the firmware check using the PKCS # 1v1.5 digital signature and initiates loading the own firmware in the HSM.

The name of the manufacturer, the HSM devices of which have vulnerabilities, has not yet been disclosed, but it is argued that the problem devices are used by some large banks and cloud service providers. At the same time it is reported that information about the problems was previously sent to the manufacturer and it has already eliminated vulnerabilities in the fresh firmware update. Independent researchers suggest that the problem may be in the devices of the company Gemalto, which in May released an update to Sentinel LDK with the elimination of vulnerabilities, access to information about which is still closed.

Red Hat Enterprise Linux 7.7 to be Available

New version of popular Linux discributive brings a lot of updates and innovations
07 August 2019   209

Red Hat has released the Red Hat Enterprise Linux 7.7 distribution. The installed RHEL 7.7 images are available for download only for registered users of the Red Hat Client Portal and are prepared for the x86_64, IBM POWER7 +, POWER8 architecture (with direct byte order and direct byte order) and IBM System z. Source text packages can be downloaded from the CentOS project's Git repository.

With Red Hat Enterprise Linux 7.7, we show our continued commitment to the 10-year Red Hat Enterprise Linux lifecycle while also introducing key new features, like image builder and Red Hat Insights, to help IT organizations get the most from their existing Red Hat Enterprise Linux 7 investments.
 

Stefanie Сhirasvice

President and general manager, Red Hat Enterprise Linux, Red Hat

The RHEL 7.x branch is followed by the RHEL 8.x branch and will be supported until June 2024. The release of RHEL 7.7 is the latest in the main full support phase, which includes functional improvements. RHEL 7.8 Transition to the maintenance stage, bug fixes and security related to the support of important hardware systems.

New version has a lot of updates and changes. Among the:

  • Provided full support for the use of the mechanism of Live-patches (kpatch) to eliminate vulnerabilities in the Linux kernel without restarting the system and without stopping work. Previously, kpatch was an experimental feature;
  • Added python3 packages with Python 3.6 interpreter. Previously, Python 3 was only shipped with Red Hat Software Collections. By default, Python 2.7 is still offered (the transition to Python 3 was done in RHEL 8);
  • Screen presets (/etc/xdg/monitors.xml) have been added to the Mutter window manager for all users in the system (you no longer need to separately configure screen settings for each user;

Learn about them on the official website.