PT-2021-9436 · Nitrokey · Nitrokey Fido U2F
Published
2021-05-21
·
Updated
2022-10-05
·
CVE-2020-12061
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Nitrokey FIDO U2F firmware versions through 1.1
Description
An issue in the communication between the microcontroller and the secure element allows an adversary to eavesdrop and derive secrets stored in the microcontroller, enabling arbitrary manipulation of the firmware.
Recommendations
For versions through 1.1, as a temporary workaround, consider restricting access to the communication between the microcontroller and the secure element until a patch is available.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nitrokey Fido U2F