PT-2021-11313 · Nitrokey+2 · Nitrokey Fido2 Token+2

Published

2021-05-21

Updated

2021-07-10

CVE-2020-27208

CVSS v3.1

6.8

Medium

Vector

AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: SoloKeys Solo versions 4.0.0 Nitrokey FIDO2 token (affected versions not specified)

Description: The issue concerns the flash read-out protection (RDP) level not being enforced during the device initialization phase. This allows an adversary to downgrade the RDP level and access secrets, such as private ECC keys from SRAM, via the debug interface.

Recommendations: For SoloKeys Solo version 4.0.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For Nitrokey FIDO2 token, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Inadequate Encryption Strength

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-326

Related Identifiers

CVE-2020-27208

OPENSUSE-SU-2021:1019-1

OPENSUSE-SU-2021_1019-1

Affected Products

Nitrokey Fido2 Token

Solo

Suse

PT-2021-11313 · Nitrokey+2 · Nitrokey Fido2 Token+2

CVE-2020-27208

Weakness Enumeration

Related Identifiers

Affected Products

References · 13