CVE-2019-15809

Name of the Vulnerable Software and Affected Versions Athena IDProtect versions 010b.0352.0005 through 010e.1245.0002 Valid S/A IDflex V version 010b.0352.0005 SafeNet eToken 4300 version 010e.1245.0002 TecSec Armored Card versions 010e.0264.0001 through 108.0264.0001 Athena IDProtect version 0106.0130.0401

Description The issue is related to a timing side channel in ECDSA signature generation, which allows a local attacker to compute the private key used by measuring the duration of hundreds to thousands of signing operations. This occurs because the Atmel Toolbox 00.03.11.05 contains two versions of ECDSA signature functions, and the affected cards use the fast version, which leaks the bit length of the random nonce via timing.

Recommendations For Athena IDProtect versions 010b.0352.0005 through 010e.1245.0002, consider disabling the use of the fast ECDSA signature function until a patch is available. For Valid S/A IDflex V version 010b.0352.0005, restrict access to the ECDSA signature generation functionality to minimize the risk of exploitation. For SafeNet eToken 4300 version 010e.1245.0002, avoid using the affected cards for sensitive operations until a fix is provided. For TecSec Armored Card versions 010e.0264.0001 through 108.0264.0001, consider implementing additional security measures to prevent local attackers from measuring the signing operation duration. For Athena IDProtect version 0106.0130.0401, temporarily disable the ECDSA signature generation functionality to prevent potential exploitation.