Banner Default Image

Security Updates

How to Report a Security Vulnerability

ProtectServer PCIe HSM/Network HSM/Network HSM Plus Vulnerabilities

16 Jan 2020

Thales Product Security Team has investigated additional vulnerabilities in the ProtectServer PCIe HSMs related to legacy readers and login. Customers who use this product are advised to review the security bulletin at?KB0020849.

Update 10 June 2019

Thales has a long-standing relationship with Ledger and is supplying hardware security modules (HSM) for Ledger Vault deployments, Ledger’s offering to secure digital asset operations. In 2018 Ledger made Thales aware of security issues restricted to the Thales ProtectServer HSMs running firmware versions from 3.20.00 to 3.20.10 and ProtectServer-2 HSMs running firmware between 5.00.02 and 5.03.00 (excluding 5.01.03). Immediate action was taken by Thales to resolve these issues and to contact our customers with remediation action. Full details of the patch were published to our security updates portal in November 2018.

All other HSM products, including Thales Luna, Thales Data Protection On Demand and payShield, are not impacted in any way by the issues presented in Ledger’s research. We take any security claim very seriously and are grateful to Ledger for notifying us of these issues and working with us to resolution. We value the contribution of researchers and security professionals in our efforts towards continuous improvement of the security of our products.

Customers are advised to take action as described at?KB0018211?to mitigate the risk.

Update 13 March 2019

The Thales Enterprise and Cybersecurity Team has investigated recently reported vulnerabilities in the Protect Server PSI-E/PSE products (end of sale December 2014). These vulnerabilities may impact the integrity and availability of the product if exploited. Customers are advised to take action as described at?KB0018211?to mitigate the risk.

For further questions or concerns, please contact Thales technical support at?https://supportportal.gemalto.com/.

09 November 2018

The Thales Enterprise and Cybersecurity Team has investigated recently reported vulnerabilities in the Protect Server PSI-E2/PSE2 products. These vulnerabilities may impact the integrity and availability of the product if exploited. Customers are advised to take action as described at?KB0018211?to mitigate the risk.

For further questions or concerns, please contact Thales technical support at?https://supportportal.gemalto.com/.


Sentinel LDK Vulnerabilities

27 Dec 2019

Thales Product Security Team has investigated recently reported vulnerability in Sentinel LDK License Manager. Customers who use this product are advised to review the security bulletin at?KB0020564.

08 Nov 2019

Thales Product Security Team has investigated recently reported vulnerabilities in Sentinel LDK License Manager. Customers who use this product are advised to review the security bulletin at?KB0020199.

15 Oct 2019

Thales Product Security Team has investigated recently reported vulnerabilities in Sentinel LDK License Manager when installed as a service. Customers who use this product as a service are advised to review the security bulletin at?KB0020074.

02 May 2019

Thales Product Security Team has investigated recently reported vulnerabilities in Sentinel LDK product. There are no known exploits of these vulnerabilities. Further information on the vulnerability is available at the following security bulletin link:?KB0018794.

For further questions or concerns, please contact customer support at?https://supportportal.gemalto.com/


Minerva Vulnerability

05 December 2019

Additional information regarding the impact of the vulnerability on the smart cards can be found at the following link?KB0020201.

21 November 2019

Czech academics have detailed a cryptographic attack that can recover Elliptic Curve Cryptography (ECC) private keys (ECDSA algorithms) used to sign operations on some smart cards and cryptographic libraries. Once obtained, the private key could allow attackers to spoof the attacked smartcards.

Thales takes this issue very seriously and is currently investigating the impact of this vulnerability on our smart cards. Further information is available at?KB0020201.

Please continue to check the website where additional information will be posted as it becomes available.


CVE-2018-7183 NTP Vulnerability

27 November 2018

CVE-2018-7183 - Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 could allow remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array in the ntp client/daemon.

Thales Enterprise and Cybersecurity Team has investigated and applied additional security measures to address the impact of this vulnerability in Thales Network HSM/SafeNet Luna Network HSM products. Mitigation guidance and details may be found at?KB0018260. There are no known exploits of this vulnerability.


Foreshadow Vulnerabilities

Update 5 Sept 2018

For further information on the mitigation guidelines, follow the security bulletin at the following link:?KB0017929.

22 August 2018

The Thales Enterprise and Cybersecurity Team has investigated the recently announced vulnerabilities affected by two exploits known as Foreshadow and Foreshadow-Next Generation (NG). These vulnerabilities affect modern Intel processors and could allow unauthorized access to sensitive data stored in memory as documented in?CVE-2018-3615,?CVE-2018-3620, and?CVE-2018-3646.

The Foreshadow vulnerability (CVE-2018-3615) allows an attacker to extract data from SGX enclaves. None of Thales’s Enterprise and Cybersecurity products use SGX and are therefore NOT impacted by this vulnerability.

The Foreshadow Next-Generation (NG) vulnerabilities (CVE-2018-3620,?CVE-2018-3646) affects Virtual Machines (VMs), hypervisors (VMM), operating system (OS) kernel memory and System Management Mode (SMM) memory. Intel has published a security advisory (INTEL-SA-00161) and released new microcode (patches) for the affected processors. Thales/SafeNet is following the security advisory and appropriate security patches are being deployed in the cloud environments.

Customers who deployed Thales products/services on premise should ensure that the operating systems and hypervisors of the host machines are patched with the latest security updates where applicable.

Customers who have questions about these vulnerabilities should get in touch with their usual Thales Customer Support contact.


CVE-2018-8340: ADFS Security Feature Bypass Vulnerability

23 August 2018

The Thales Enterprise and Cybersecurity Team has investigated the recently announced ADFS vulnerabilities and determined that Thales ADFS agents are not impacted by the CVE-2018-8340. Customers are advised to ensure that they update the latest patch (MFA) from Microsoft (CVE-2018-8340) to mitigate the risk. At this time we do not have any evidence of any exploit of this vulnerability in our ADFS agent.


Meltdown & Spectre Vulnerabilities

Update 1 June 2018

The Thales Security Team has investigated recently published vulnerabilities CVE-2018-3639/3640. Our investigation has concluded that for this category of vulnerability to be exploitable, an attacker would have to be able to execute an arbitrary (i.e. malicious) code within the appliance environment. Thales/SafeNet appliance products are not impacted as arbitrary code cannot be executed to exploit either of these vulnerability variants. Notwithstanding, customers should ensure that the operating systems and hypervisors of the host machines are patched where applicable.

Update 19 January 2018

The Thales Enterprise and Cybersecurity Security Team is continuing to investigate the impact of these vulnerabilities to our products and services, revising as more information is available. In general, if products/services employ a potentially vulnerable processor, security measures are in place to prevent exploitation of the vulnerabilities. Updated information may be found at:?KB0017000.

Please continue to check this website where additional information will be posted as it becomes available.

Update 12 January 2018

The Thales Enterprise and Cybersecurity Security Team is continuing to investigate the impact of these vulnerabilities to our products and services, revising as more information is available. In general, if products/services employ a potentially vulnerable processor, security measures are in place to prevent exploitation of the vulnerabilities. Updated information may be found at:?KB0017000.

Please continue to check this website where additional information will be posted as it becomes available.

Update 09 January 2018

The Thales Enterprise and Cybersecurity Security Team has investigated the impact of these vulnerabilities to our products and services. In general, if products/services employ a potentially vulnerable processor, security measures are in place to prevent exploitation of the vulnerabilities. Further information is available at?KB0017000.

Please continue to check this website where additional information will be posted as it becomes available.

04 January 2018

It has recently been announced that three vulnerabilities affected by two exploits known as Meltdown and Spectre are affecting modern processors. These vulnerabilities could allow unauthorized access to sensitive data as documented in?CVE-2017-5715,?CVE-2017-5753?and?CVE-2017-5754.

Thales takes this issue very seriously and is investigating the impact of these vulnerabilities on our products and solutions. Thales CERT is also closely monitoring updated information related to patch availability. In parallel, we are coordinating a regular follow-up with our cloud service providers. We have set up a dedicated team of security experts to work on the situation and we will continue to monitor any developments.

Customers who have questions about these vulnerabilities should get in touch with their usual Thales Customer Support contact. Please continue to check this website where additional information will be posted as it becomes available.


Sentinel LDK Vulnerabilities

Update 12 April 2018

Customers who have Sentinel LDK (RTE) Run-time Environment version (v2.10-66) are advised to update their Sentinel LDK RTE to the latest Sentinel LDK RTE component (v7.80). Further information is available at the following security bulletin link:?KB0017405.

Update 9 March 2018

Customers who have Sentinel LDK (RTE) Run-time Environment version (v2.10-63) are advised to update their Sentinel LDK RTE to the latest Sentinel LDK RTE component (v7.65). This update can be found on the?Sentinel Downloads?site.

25 January 2018

In September 2017, Thales/SafeNet published notice advising Sentinel customers of vulnerabilities associated with the use of Sentinel LDK EMS server and License Manager services. These vulnerabilities may impact the confidentiality and integrity of the services if exploited.

This notice is to remind customers using these services to follow the mitigation guidelines outlined in the security bulletin at the following link:?KB0016365.

Thales would like to acknowledge Kaspersky for responsible disclosure of these vulnerabilities.


SAML-Based Security Vulnerabilities

5 March 2018

Thales Security Teams have investigated a new vulnerability class (CVE-2017-11427) that affects SAML-based single sign-on (SSO) systems reported by Duo Labs. This vulnerability, under certain conditions, could allow an attacker with authenticated access to a SAML Identity Provider (IdP) to impersonate a different user. Information on the vulnerabilities may be found at?https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations.

Our analysis has determined that Thales Authentication Service (SAS); Thales Trusted Access (STA); and Data Protection as a Service (DPaaS) are NOT impacted by this vulnerability. Customers should validate that their SAML service providers are not impacted as well.


CVE-2017-15361 ROCA Vulnerability - Infineon RSA library does not properly generate RSA key pairs

Update - 30 November 2017

As part of our efforts to provide an interim solution to IDPrime.NET customers who have been affected by this ROCA vulnerability, we are releasing an updated version of our smart card middleware: IDGo 800 PKCS#11 v1.2.10, Thales Authentication Client 10.4 and Thales Minidriver 10.1. These releases enable the technical option outlined below as an interim solution. Clients who are using these products are directed?KB0016843?for further information.

Update - 17 November 2017

As part of our efforts to provide an interim solution to IDPrime.NET customers who have been affected by this ROCA vulnerability, we are releasing updated versions of our smart card middleware: IDGo 800 Minidriver, Thales Minidriver 10.1 and Thales Authentication Client. Clients who are using these products are directed to?KB0016772?for further information.

26 October 2017

Our investigation has determined that End-of-sale IDPrime.NET products are impacted. The severity of the impact is dependent on customer use case and configuration. Clients who are using these products are directed to?KB0016635?for further information.

20 October 2017

We are aware of the potential security vulnerability relating to RSA key generation which affects Infineon software cryptographic libraries as published. The vulnerability is linked to the RSA on-board key generation library optionally bundled with the chip by the silicon manufacturer. Infineon have stated that the chip itself is not affected.

Thales’s Enterprise and Cybersecurity generally available and currently supported authentication and data encryption products are?NOT?affected by this potential issue. Our investigation has determined that End-of-sale IDPrime.NET products may be affected. Clients who are using these products are directed to?KB0016635?for further information. Please continue to check this website where additional information will be posted as it becomes available.


BlueBorne Bluetooth Vulnerability

19 September 2017

The Thales security team has determined that the Thales CT1100 and Thales K1100 Reader are not exploitable by the BlueBorne BLE vulnerability, which may affect Bluetooth enabled devices. Since these Thales products require target devices to have an active Blueooth connection, which may make the device vulnerable to a BlueBorne attack, customers are advised to ensure that they have updated their Bluetooth interfaces with the corresponding fix on their OS from the respective OS vendor.

For more information about the BlueBorne Bluetooth vulnerability, please click?HERE.


WannaCry Ransomware

15 May 2017

Thales/SafeNet is aware of the Shadow Brokers leak (WannaCry), mainly affecting Microsoft Windows services, and documented in MS17-010, MS14-068, MS10-061, MS09-050, MS08-067, CVE-2017-3623, CVE-2017-3622, CVE-2017-0146 and CVE-2017-0147, CVE-2014-6324, CVE-2009-3103, CVE-2008-4250, CVE-2003-0694 and CVE-2003-0681.

Our security teams are carrying out an inventory of potentially affected configurations. Depending on the level of exposure of each server, patches or containments are being deployed as soon as they are made available based on information from our suppliers. At this time we do not have evidence of any remote or local exploits for this vulnerability.


SAM Client Vulnerability

19 April 2017

SafeNet Authentication Manager Client is deployed with ActiveX components to perform actions on end-user filesystem and end-user tokens. This could allow an attacker to use a malicious JavaScript to invoke ActiveX methods to obtain unauthorized access to end user file system. Further information is available at:?KB0015461.

There are no known exploits of this vulnerability.


CVE-2015-2808 ARCFOUR Vulnerability

29 March 2017

CVE-2015-2808 is a CVSS medium-severity rated vulnerability that could allow a remote attacker to conduct plaintext recovery attacks by sniffing initial network traffic and then using a brute-force attack to extract the first few bytes of information of an encrypted message in plaintext.

The Thales Security Team has investigated the potential impact of this vulnerability to our products. Further information is available at:?https://supportportal.gemalto.com/csm?id=kb_article&sys_id=b784a4b54fbdf284873b69d18110c74d. There are no known exploits of this vulnerability.


APDU Protocol Weaknesses – eTokenPRO Java/SafeSite Classic

Update 27 January 2017

The information below has been updated to reflect mitigation strategies that may also be applicable to all eToken Java-based products. This information is outlined at?https://kb.safenet-inc.com/kb/link.jsp?ID=TE2888.

16 September 2016

A recent research report highlighted weaknesses in the APDU protocol used to communicate with the eToken PRO Java tokens and SafeSite Classic TPC IS V1 smartcards.

Current Thales authentication tokens and middleware products are not affected by this report. Customers using end of sale eToken PRO Java tokens or older versions of Thales Authentication Client which may be affected are advised to follow the mitigation guidelines outlined in security bulletin?https://kb.safenet-inc.com/kb/link.jsp?ID=TE2697.

Customers using End of Life SafeSite Classic TPC IS V1 smartcards are advised to follow the mitigation guidelines outlined in security bulletin?https://kb.safenet-inc.com/kb/link.jsp?ID=TE2698.


OpenSSL Vulnerabilities CVE-2016-2107 and CVE-2016-2108

05 May 2016

OpenSSL announced two high severity vulnerabilities on 3 May 2016 as follows:

The Thales IDSS (SafeNet) Security Team is currently investigating the potential impact of these vulnerabilities to the IDSS product portfolio. At this time we do not have evidence of any remote or local exploits for this vulnerability. Further investigation updates will be posted as more information is available. Please continue to check for updates.


Multiple OpenSSL Vulnerabilities including CVE-2016-0800 (DROWN) and CVE-2016-0703 (Divide and Conquer)

Update 08 April 2016

Thales IDSS (SafeNet) Security Team investigation has determined that Thales IDSS products are not impacted by the CVE-2016-0800 (DROWN) and CVE-2016-0703 (Divide and Conquer) vulnerabilities.

1 March 2016

A number of vulnerabilities have been disclosed by OpenSSL including a high severity cross-protocol attack on TLS using SSLv2 identified as CVE-2016-0800 (DROWN) and a high severity divide-and-conquer key recovery attack identified as CVE-2016-0703 (Divide and Conquer) which can lead to a more efficient DROWN attack. A moderate severity vulnerability and multiple low severity vulnerabilities were also disclosed.

More information about these vulnerabilities is available in the OpenSSL Security Advisory at:?https://www.openssl.org/news/secadv/20160301.txt.

The Thales IDSS (SafeNet) Security Team is currently investigating the potential impact of these vulnerabilities to our products. Further information will be posted as we have results.


SaS Privilage Escalation Vulnerability

31 March 2016

The installation of several Thales Authentication Service Agents is vulnerable to privilege escalation due to weak ACLs assigned in some of the installation subdirectories and executable modules. This vulnerability, if exploited, may impact the integrity and availability of the executed modules but does not have any confidentiality impact. The exploit of this vulnerability requires local access and has medium complexity for agents that reside on servers and low complexity for agents that reside on client hosts. There are no known exploits of this vulnerability.

This vulnerability has been assigned the following CVE numbers: CVE-2015-7596 through CVE-2015-7598 and CVE-2015-7961 through CVE-2015-7967.

Please log in to the?SafeNet Customer Portal?for additional information and available patches to address this vulnerability.


CVE-2015-7547

18 February 2016

A major vulnerability has been disclosed publicly as CVE-2015-7547 that could lead to a stack-based buffer overflow in glibc's v2.9 to v2.22 DNS resolver. More information is available from glibc developers at?https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html.

The Thales Security Team is currently investigating the potential impact of this vulnerability to our products. Further information will be posted as we have results. We know of no known attacks that use this specific vulnerability.


OpenSSH Vulnerability CVE-2016-0777/0778

Update 22 January 2016

The Thales IDSS (SafeNet) Security Team has investigated OpenSSH vulnerabilities CVE-2016-0777/0778. Thales IDSS products are not impacted by this vulnerability. There are no known exploits of this vulnerability.

15 January 2016

OpenSSH client versions 5.4 through 7.1p1 support an undocumented feature called roaming. An information leak flaw was found in the way OpenSSH client roaming feature was implemented. The information leak is exploitable in the default configuration of certain versions of the OpenSSH client and could (depending on the client's version, compiler, and operating system) allow a malicious SSH server to steal the client's private keys. This flaw can only be triggered after successful authentication and therefore can only be exploited by a malicious or compromised SSH server. Man-in-the-middle (MITM) attackers cannot exploit this issue.

The Thales Security Team is currently investigating these vulnerabilities for potential impact to our products. At this time we do not have evidence of any remote or local exploits for this vulnerability. Limited information is obtainable, however?https://www.kb.cert.org/vuls/id/456088?provides more details for customers that employ the client roaming feature in their products. Further investigation updates will be posted as more information is available.


OpenSSL Vulnerability CVE-2015-1793

10 July 2015

The Thales IDSS (SafeNet) Security Team has investigated OpenSSL vulnerability advisories issued 09 July 2015, CVE-2015-1793 affecting OpenSSL version 1.0.2b-c/1.0.1n-o. Thales IDSS products do not employ the affected versions of OpenSSL and are therefore not impacted by this vulnerability.


Security Update CVE-2015-5464

Update 29 July 2015

The severity of this vulnerability has been re-assessed as low according to the NIST Vulnerability Database CVSS score criteria. Despite this classification, Thales strongly encourages customers to apply the patch immediately to the Thales HSMs. Please log in to the?SafeNet Customer Portal?for additional information and available patches to address this vulnerability.

Update 24 July 2015

SafeNet confirms that this announcement is linked to CVE-2015-5464. A successful exploit would require local access to a fully authenticated session with the HSM. Multiple levels of authentication are also required to obtain the necessary access. The overall complexity of the exploit is medium as an attacker would have to obtain elevated access to systems authorized to use the HSM. A successful exploit would result in partial disclosure of information protected by the HSM. Modification or deletion of data is not impacted by the vulnerability. This vulnerability does not reduce the performance of the HSM or otherwise interrupt the availability of the HSM. There are no known exploits of this vulnerability. Thales is working to update the CVE severity information on NVD.

9 July 2015

The Thales IDSS Security Response team has recently identified a vulnerability affecting the Thales Luna HSM. There have been no known exploits of this vulnerability. The severity of the vulnerability is rated as high.

Please log in to the?SafeNet Customer Portal?for additional information and available patches to address this vulnerability.


CVE-2015-0291 OpenSSL/FREAK vulnerability

19 March 2015

SafeNet has investigated OpenSSL HIGH vulnerability advisories issued today regarding CVE-2015-0291 (OpenSSL 1.0.2 ClientHello sigalgs DoS) and increase in severity for CVE-2015-0204 (EXPORT_RSA [Client]). The results of our investigation are as follows:

1. OpenSSL 1.0.2 server - No impact
2. RSA Export - There is no change from earlier statements related to CVE-2015-0204 FREAK.


CVE-2015-0204 FREAK vulnerability

UPDATE 17 March 2015

The full portfolio review is now complete. There is no change from earlier statements. Our bulletin has been updated and finalized and is available at the?SafeNet Customer Portal.

UPDATE 13 March 2015

At this time Thales does not have evidence of any remote or local exploits for this vulnerability. Thales is continuing to investigate and will post updates as soon as more information is available. Please see the?SafeNet Customer Portal?for more information.

06 March 2015

SafeNet is currently assessing US-CERT?CVE-2015-0204?dubbed the FREAK (Factoring attack on RSA-EXPORT Keys) vulnerability. It could allow attackers to intercept HTTPS connections between vulnerable clients and servers and trick browsers to use a weak 'export-grade' RSA cryptography in lieu of strong RSA This key can then be decrypted or altered in a Man in the Middle (MITM) attack.

The Thales portfolio is undergoing a full vulnerability assessment in light of this information. Please continue to check regularly for updates.


CVE-2015-0235: GHOST Vulnerability

UPDATE 05 February 2015

On further investigation, Thales continues to find no evidence of any remote or local exploits for this vulnerability. Please see the?SafeNet Customer Portal?for additional information.

UPDATE 30 January 2015

At this time Thales does not have evidence of any remote or local exploits for this vulnerability. Thales is continuing to investigate and will post updates as soon as more information is available.

29 January 2015

SafeNet is currently assessing US-CERT CVE-2015-0235 Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18 a.k.a. GHOST that may allow context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function.?https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235.

The Thales portfolio is undergoing a full vulnerability assessment in light of this information. Please continue to check regularly for updates.


Network Time Protocol Daemon Vulnerabilities

Update 23 December 2014

The Thales security team has determined that Thales products are not exploitable by these vulnerabilities at this time. Please check with Customer Support for more information.

22 December 2014

SafeNet is currently assessing US-CERT Vulnerability Note published 19 December 2014,?http://www.kb.cert.org/vuls/id/852879?stating that the Network Time Protocol daemon (ntpd) contains multiple vulnerabilities. Thales is reviewing these vulnerabilities for potential impact to our products.


CVE-2014-8730

11 December 2014

SafeNet is currently assessing?http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8730?published 10 December 2014 pertaining to TLS implementations omitting to check the padding structure after decryption. Such implementations may be vulnerable to the POODLE attack. This is not a protocol flaw (like SSL V3 in Poodle) but rather an implementation flaw. Thales is monitoring this vulnerability for potential impact to our products.

Please continue to check for updates.


SafeNet Authentication Service IIS/Sharepoint Agent Vulnerability

30 October 2014

SafeNet has been made aware of a vulnerability in the Thales Authentication Service IIS/Sharepoint agents. Please log in to the?SafeNet Customer Portal?for more information.

?


SafeNet Authentication Service Agent Vulnerability

27 October 2014

SafeNet has been made aware of a vulnerability in the Thales Authentication Service OWA agent. Please log in to the?SafeNet Customer Portal?for more information.

?


CVE-2014-3566: SSL v3.0 Vulnerability

UPDATE - 17 October 2014

Many products implementing TLS-based services allow for fallback to SSL v3.0 for compatibility reasons. CVE-2014-3566, published 14 October 2014 identified a vulnerability that could expose systems to man-in-the-middle attacks when such fallback is permitted. Details can be found at?CVE-2014-3566.

Exploitation of this vulnerability would require a sophisticated attacker to have access to the network and defeat other protection offered by Thales products and our customers. Please see?SafeNet Customer Portal?for additional information.

?


CVE-2014-3566: SSLv3.0 protocol flaw (aka Poodle)

15 October 2014

SafeNet is currently assessing?CVE-2014-3566?published 14 October 2014. This vulnerability could allow an attacker to exploit browser fallback to SSLv3.0 implementations that allow for interoperability with legacy systems.

This vulnerability is currently undergoing analysis and not all information is available. Please continue to check for updates.

?


Bash Vulnerability (CVE-2014-6271)

25 September 2014

SafeNet has been made aware of a vulnerability affecting all versions of the bash package as documented in CVE-2014-6271.

The Thales portfolio is undergoing a full vulnerability assessment in light of this announcement. In the event of a finding, product specific advisories, software patches, or new software downloads will be available in the?SafeNet Customer Portal. Please continue to check regularly for updates or subscribe to specific product news feeds.

See more at?http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

UPDATE (26 September 2014)
The Thales Customer Portal link within the original post (above) has been updated.

UPDATE (1 October 2014)
The Thales Customer Portal link within the original post (above) has been updated.

?


BadUSB Vulnerability

22 August 2014

Recent research presented at Black Hat on August 7, 2014, demonstrated a new type of malware attacks targeted at USB devices. The attacks referred to as “BAD USB” describe a new attack vector where malware can infect the firmware of vulnerable USB devices. Once infected, the modified firmware controls the behavior of the USB device causing it to behave in a way contrary to its intended purpose. As the modified controller firmware cannot be scanned nor cleaned with current anti-malware solutions, the modified behavior can be exhibited without detection by the user. As explained by the researchers, the best protection against this vulnerability is to use code signing for firmware updates.

SafeNet Authentication USB tokens are protected from unauthorized firmware updates that may exist with a Bad USB attack. If you are using Thales USB Authentication tokens, please refer to the?SafeNet Customer Portal?for product-specific advisories related to this vulnerability.

?


OpenSSL Vulnerability Update

9 June 2014

For the latest, product specific update as it pertains to OpenSSL vulnerabilities, please review the links below.

?


OpenSSL Vulnerability Update

5 June 2014

SafeNet was notified of a number of?OpenSSL vulnerabilities?affecting all versions of OpenSSL.

VulnerabilityDescription

CVE-2014-0224SSL/TLS MITM vulnerability

CVE-2014-0221DTLS recursion flaw

CVE-2014-0195DTLS invalid fragment vulnerability

CVE-2014-0198SSL_MODE_RELEASE_BUFFERS NULL pointer dereference

CVE-2010-5298SSL_MODE_RELEASE_BUFFERS session injection or denial of service

CVE-2014-3470Anonymous ECDH denial of service

?

While an impact assessment is being completed for all of these notifications against all of SafeNet’s products,?CVE-2014-0224?is the most significant. A CCS Injection could allow for a man-in-the-middle attack against an encrypted connection making it possible for an attacker to potentially intercept an encrypted data stream and allowing an attacker to decrypt, view, and then manipulate the data in that stream. To be clear, the vulnerability can only be exploited if both server and client are vulnerable to this issue. In the event that only one of the two is vulnerable, there is no risk of exploitation.

The entire Thales portfolio is undergoing a full vulnerability assessment to all of today’s notifications. However, the following products have been cleared and determined to be free from these reported vulnerabilities.

Luna PCI 5.3 and earlier

Luna PCI 5.4

Luna IS 6.0 and earlier

Luna SP 2.x and earlier

Luna EFT 1.5 and earlier

KeySecure/DataSecure 6.x

KeySecure/DataSecure 7.x

KeySecure Clients

Crypto Command Center

?



In summary, many of Thales’s products utilize OpenSSL as a part of the solution. The impact of this reported vulnerability is currently being investigated and immediate mitigation action will be taken if required. Product specific advisories, software patches, or new software downloads for affected Thales products will be available in the?Thales Customer Portal. Please continue to check regularly for updates or subscribe to specific product news feeds.

大香伊在人线国产观看?大香伊在人线综合 大萫焦视频