Ledger to Discover HSM Vulnerability

HSM is an external device designed to store public and private keys used to generate digital signatures and to encrypt data, used by banks, exchanges, etc
10 June 2019   1619

A group of researchers from Ledger identified several vulnerabilities in the Hardware Security Module (HSM) devices, which can be used to extract keys or perform a remote attack to replace the firmware of an HSM device. The problem report is currently available only in French, the English-language report is scheduled to be published in August during the Blackhat USA 2019 conference. HSM is a specialized external device designed to store public and private keys used to generate digital signatures and to encrypt data.

HSM allows you to significantly increase protection, as it completely isolates keys from the system and applications, only by providing an API to perform basic cryptographic primitives implemented on the device side. Typically, HSM is used in areas where you need to provide the highest protection, for example, in banks, cryptocurrency exchanges, certification centers for checking and generating certificates and digital signatures.

The proposed attack methods allow an unauthenticated user to gain complete control over the contents of the HSM, including extracting all the cryptographic keys and administrative credentials stored on the device. The problems are caused by a buffer overflow in the internal PKCS # 11 command handler and an error in the implementation of the cryptographic protection of the firmware, which bypasses the firmware check using the PKCS # 1v1.5 digital signature and initiates loading the own firmware in the HSM.

The name of the manufacturer, the HSM devices of which have vulnerabilities, has not yet been disclosed, but it is argued that the problem devices are used by some large banks and cloud service providers. At the same time it is reported that information about the problems was previously sent to the manufacturer and it has already eliminated vulnerabilities in the fresh firmware update. Independent researchers suggest that the problem may be in the devices of the company Gemalto, which in May released an update to Sentinel LDK with the elimination of vulnerabilities, access to information about which is still closed.

NethServer Version 7.7 to be Released

The release is based on the CentOS 7.7 package base and gives users a web-based interface for managing available server components
07 November 2019   118

The release of the NethServer 7.7 distribution, offering a modular solution for the rapid deployment of servers in small offices or medium-sized enterprises, is presented. The distribution is based on the CentOS 7.7 package base and provides a web-based interface for managing available server components. The size of the installation image is 1.1 GB. An online demo is provided to familiarize yourself with the capabilities of the interface. Project developments are distributed under free licenses.

The user is offered ready-made modules for organizing the work of the mail server (Postfix, Dovecot, Amavis, ClamAV + Roundcube web client), collaboration system (SOGo), firewall (Shorewall), web server (LAMP), file server and Active domain controller Directory (Samba), filtering proxy (Squid, ClamAV and SquidGuard), VPN server (OpenVPN, L2TP), cloud storage (ownCloud), intrusion detection and prevention systems. Installation and commissioning of the required service is carried out in one click and does not require knowledge of the configuration features of each server component. Typical administration work can be done through the web interface.

Key innovations:

  • The new user interface, built on the basis of Cockpit and offering a more modern design, has moved to the beta testing stage and is included in the default delivery. Previously installed systems can test the interface by installing Server Manager in the Software Center. The interface provides tools for managing accounts, DNS, DHCP, FQDN, setting the time, creating backups, setting up the network, applying TLS encryption, managing the system, installing applications, managing storage and SSL certificates;
  • A new interface for setting up a VPN, which allows you to evaluate traffic for each tunnel, track the connection history of each user and quickly send connection parameters by email. Through the interface, you can also define your own routes, change the UDP / TCP protocol, activate or disable the account;

Learn more info at the official website and release notes.