Security Updates
CVE-2023-29017– VM2 Sandbox Escape
Update: 24 April 2023 - 17:00 UTC
An inventory of the CPL portfolio of products and services has been completed. Product & service specific details are available at the Thales CPL Customer Support Portal in the Knowledge Base article KB0027140.
190 April 2023 - 14:30 UTC
Thales Cloud Protection and Licensing (CPL) is aware of a vulnerability in the VM2 package in node.js that could allow an authenticated user to perform an arbitrary code execution. We are carrying out a full inventory of potentially affected configurations in our portfolio of data protection, access management and software monetization products and services and applying patches and mitigations as applicable.
Multiple OpenSSL Security Updates
07 Mar 2023 - 20:10 UTC
An inventory of the CPL portfolio of products and services has been completed. Product & service specific details are available at the Thales CPL Customer Support Portal in the Knowledge Base article KB0026911.
23 Feb 2023 – 15:00 UTC
An inventory of CPL portfolio of data protection, access management and software monetization products and services and the investigation status for each product is now available at the Thales CPL Customer Support Portal at KB0026911. This information will be updated as investigations are completed. Please continue to check status as applicable.
10 Feb 2023 – 20:40 UTC
The OpenSSL advisory on February 7, 2023 listed a number of CVE’s including one high (CVE-2023-0286) and seven moderate (CVE-2022-4304, CVE-2022-4203, CVE-2023-0215, CVE-2022-4450, CVE-2023-0216, CVE-2023-0217 CVE-2023-0401). At this time our engineering teams are working to identify any impact to product security based on these disclosures. We will continue to provide updates on this site and to the knowledge base as they become available.
CVE-2022-3602/CVE-2022-3706 OpenSSL
Update: 14 Nov 2022 – 13:00 UTC
An inventory of the CPL portfolio of products and services has been completed, showing no impact from these vulnerabilities to customers. Product & service specific details are available at the Thales CPL Customer Support Portal in the Knowledge Base article KB0026548.
03 Nov 2022 – 19:00 UTC
An inventory of CPL portfolio of data protection, access management and software monetization products and services and the investigation status for each product is now available at the Thales CPL Customer Support Portal at KB0026548. This information will be updated as investigations are completed. Please continue to check status as applicable.
2 Nov 2022 – 19:00 UTC
The OpenSSL advisory on November 1, 2022 downgraded the severity of the vulnerability from Critical to High and provided important details related to the flaw. We have not yet identified any CPL products or services which are impacted and our investigations are continuing. Please check back here for updates to this status.
31 Oct 2022 – 16:30 UTC - OpenSSL critical patch to be released on 01-Nov-2022
Thales CPL is aware of pending November 1st disclosure of a critical vulnerability in the OpenSSL v.3.0.x library. Our engineering teams are working to identify any usage of the OpenSSL v3.0.x library in our products and services, and are prepared to take the necessary steps to analyze, mitigate, and remediate any issues for our customers. We will post further information on this topic as it becomes available.
Lockbit 3.0 claims
Update: 11 Nov 2022 – 17:00 UTC
Thales Group has released an official statement with respect to the Lockbit Ransomware allegations, which can be found at the following link:
Thales CPL reaffirms that our infrastructure and services are in no way impacted by this extortion activity.
10 Nov 2022 – 17:46 UTC
Thales reiterates that as of this date, the Group has not identified any trace of impact on - nor intrusion into - its information systems. Thales has also not received any authentic ransom notification.
We remain attentive towards any allegations of data theft. Thales cybersecurity experts are fully mobilized, as data protection is our utmost priority.
07 Nov 2022 – 22:00 UTC
The ransomware group Lockbit 3.0 announced plans to release data potentially pertaining to Thales Group on November 7, 2022 at 06H29 UTC. At this time, Thales experts have not identified any publication of data. We are carefully monitoring the situation and remain vigilant with regard to any data release. Thales cybersecurity experts are fully mobilized, as data protection is our utmost priority.
Thales reiterates that we have not identified any trace of impact on - nor intrusion into - its information systems. Thales has also not received any authentic ransom notification.
01 Nov 2022 – 8:30 EST
We are aware of an allegation of a Lockbit 3.0 attack targeting data potentially pertaining to the Thales Group. A dedicated team of security experts from Thales CERT are currently investigating the situation as security of our data remains a key priority.
Thales CPL will continue to support CERT in their investigations, and post any relevant information for customers of our products to this page as additional details are made available. As of today, we have not received any direct ransom notification, however we are taking this allegation seriously.
CVE-2022-22950, CVE-2022-22963 and CVE-2022-22965 (Spring4Shell)
25 April 2022 – 15:30 EST
Thales Cloud Protection and Licensing (CPL) security teams have completed a full inventory of our portfolio of data protection, access management and software monetization products and services. Patches and mitigations have been applied where applicable. Please refer to KB0025709 for details.
5 April 2022 – 15:30 EST
Thales Cloud Protection and Licensing (CPL) security teams have posted an inventory of our portfolio of data protection, access management and software monetization products and services. Please refer to KB0025709 for details.
4 April 2022 – 12:00 EST
Thales Cloud Protection and Licensing (CPL) is aware of critical vulnerabilities in the JAVA Spring Core framework that could allow remote code execution and/or denial of service. We are carrying out a full inventory of potentially affected configurations in our portfolio of data protection, access management and software monetization products and services and applying patches and mitigations as applicable.
CVE-2021-4034 – Polkit Local Privilege Escalation
04 February 2022 – 16:45 EST
Thales Cloud Protection and Licensing (CPL) security teams have completed a full inventory of our portfolio of data protection, access management and software monetization products and services. Patches and mitigations have been applied where applicable. Please refer to KB0025513 for product updates.
26 January 2022 – 15:00 EST
Thales Cloud Protection and Licensing (CPL) is aware of a vulnerability in the Pkexec tool of the polkit package in Linux/Unix systems that could allow an authenticated user to perform a privilege escalation attack. We are carrying out a full inventory of potentially affected configurations in our portfolio of data protection, access management and software monetization products and services and applying patches and mitigations as applicable.
Alleged Thales Group Ransomware Attack
18 January 2022 – 13:30 EST
Following on from our information previously reported, please refer to the Knowledge Base article KB0025400 that includes updated information relating to the latest findings of Thales Group.
05 January 2022 - 17:00 EST
Thales Cloud Protection and Licensing (CPL) business line is aware of a reported 'Lockbit ransomware' attack targeting data that belongs to the Thales group. For information regarding Thales Cloud Protection and Licensing's investigation into these allegations, customers should refer to the knowledge base article at this link KB0025400 or reach out directly to sales or support contacts for more information.
For information on this topic specific to Thales Group, please contact the Thales CERT at CERT@thalesgroup.com.
Vulnerability in Apache Log4j
UPDATE: 04 January 2022 – 15:30 EST
The investigation into the impact of these vulnerabilities in the CPL product portfolio is completed. Please now refer to the security advisory at this link KB0025297 for product updates.
17 December 2021 – 15:30 EST
The investigation into the impact of these vulnerabilities in the CPL product portfolio is near completion. Please now refer to the security advisory at this link KB0025297 for further updates.
16 December 2021 – 15:30 EST
The investigation of the impact of these vulnerabilities in the CPL product portfolio is continuing, with new information available at this link KB0025297. Please continue to monitor for daily updates.
15 December 2021 - 15:30 EST
Further to our initial posting, a new advisory CVE-2021-45046 was published today that outlines where, in some instances, the remediation from CVE-2021-44228 was incomplete was incomplete in certain non-default configurations. The updated information detailed at KB0025297 reflects the status of this CVE as well.
14 December 2021 - 15:30 EST
The investigation of impact of this vulnerability in CPL product portfolio is continuing and further updates are now available in the Customer Support Portal at this link KB0025297. Depending on the level of exposure of each system, patches or containments are being deployed as soon as they are made available.
14 December 2021 - 06:50 EST
The investigation of impact of this vulnerability in CPL product portfolio is continuing and will be updated daily as results are available. We can confirm that products such as the Luna Network HSMs appliances and clients, CipherTrust Manager are not vulnerable. Cloud Security services such as STA Classic/EU/US had mitigations deployed immediately and are not vulnerable to this CVE. More details are available at KB0025297.
10 December 2021 - 13:20 EST
Thales Cloud Protection and Licensing is aware of a vulnerability in Apache Log4j, versions prior to 2.15.0. This vulnerability could allow a remote attacker to execute arbitrary code on a vulnerable system, as documented in CVE-2021-44228. We are carrying out a full inventory of potentially affected configurations in our portfolio of data protection, access management and software monetization products and services. Please monitor our Thales Customer Support Portal for information on available patches, mitigations, and remediation strategies for specific products and services.
SafeNet Agent for Windows Logon Vulnerability
November 2021
Thales Cloud Protection & Licensing (CPL) Team has recently identified a vulnerability in SafeNet Agent for Windows Logon(WLA) under specific configurations. Customers who use WLA are advised to review the security bulletin at KB0025156 to determine if they are affected and take action to mitigate.
There are no known exploits of this vulnerability.
Luna HSM Vulnerability
19 January 2021
Thales Cloud Protection & Licensing (CPL) Team identified a vulnerability in Luna Network HSM 5/6, PCIe HSM 5/6, USB HSM and Backup HSM (G5) products. Mitigation guidance and details may be found at KB0023556 and KB0023554.
There are no known exploits of this vulnerability.
Solarwinds Orion Vulnerability
Update January 15, 2021
Cloud Protection & Licensing (CPL) business line has now completed a full review of our portfolio of data protection, access management and software monetization products and services, and has concluded that this attack does not impact any of our products or services.
December 17, 2020
Background
Thales has been made aware of recent reports that the SolarWinds Orion Platform has been compromised and subsequently used in various cyberattacks against corporate and government infrastructure.
Statement
Upon announcement of this latest vulnerability the Thales CERT has carried out a full inventory of potentially affected configurations. Depending on the level of exposure, if any, of each server, patches or containments are being deployed as soon as they are made available based on information from our suppliers.
In parallel with the Thales CERT action, the Cloud Protection & Licensing (CPL) business line, has conducted a full review of our portfolio of data protection, access management and software monetization products and services, and has determined that this attack does not impact any of our products or services, as we are not running the affected versions of SolarWinds. Due to the severity and risk of the SolarWinds advisory, we are continuing our efforts to update our defensive and detection capabilities and will provide updates in the future, as necessary.
CVE-2021-3011
Possible side-channel attacks, impacting FIDO U2F
January 12, 2021
The Thales Security Team has investigated the recently published report of possible side-channel attacks, impacting FIDO U2F, as detailed by the researchers at the following link: https://ninjalab.io/a-side-journey-to-titan/. The vulnerabilities described by this research can be tracked using CVE-2021-3011 in the National Vulnerability Database.
Our investigation has determined that Thales FIDO Authenticators are not impacted by this vulnerability.
ProtectServer PCIe HSM/Network HSM/Network HSM Plus Vulnerabilities
18 April 2022
Thales Cloud Protection and Licensing (CPL) have recently become aware of security vulnerabilities in the ProtectServer 2 and ProtectServer 3 HSM products. Mitigation guidance and details may be found at KB0025761.
16 Jan 2020
Thales Product Security Team has investigated additional vulnerabilities in the ProtectServer PCIe HSMs related to legacy readers and login. Customers who use this product are advised to review the security bulletin at KB0020849.
Update 10 June 2019
Thales has a long-standing relationship with Ledger and is supplying hardware security modules (HSM) for Ledger Vault deployments, Ledger’s offering to secure digital asset operations. In 2018 Ledger made Thales aware of security issues restricted to the Thales ProtectServer HSMs running firmware versions from 3.20.00 to 3.20.10 and ProtectServer-2 HSMs running firmware between 5.00.02 and 5.03.00 (excluding 5.01.03). Immediate action was taken by Thales to resolve these issues and to contact our customers with remediation action. Full details of the patch were published to our security updates portal in November 2018.
All other HSM products, including Thales Luna, Thales Data Protection On Demand and payShield, are not impacted in any way by the issues presented in Ledger’s research. We take any security claim very seriously and are grateful to Ledger for notifying us of these issues and working with us to resolution. We value the contribution of researchers and security professionals in our efforts towards continuous improvement of the security of our products.
Customers are advised to take action as described at KB0018211 to mitigate the risk.
Update 13 March 2019
The Thales Enterprise and Cybersecurity Team has investigated recently reported vulnerabilities in the Protect Server PSI-E/PSE products (end of sale December 2014). These vulnerabilities may impact the integrity and availability of the product if exploited. Customers are advised to take action as described at KB0018211 to mitigate the risk.
For further questions or concerns, please contact Thales technical support at https://supportportal.gemalto.com/.
09 November 2018
The Thales Enterprise and Cybersecurity Team has investigated recently reported vulnerabilities in the Protect Server PSI-E2/PSE2 products. These vulnerabilities may impact the integrity and availability of the product if exploited. Customers are advised to take action as described at KB0018211 to mitigate the risk.
For further questions or concerns, please contact Thales technical support at https://supportportal.gemalto.com/.
Sentinel LDK Vulnerabilities
27 Dec 2019
Thales Product Security Team has investigated recently reported vulnerability in Sentinel LDK License Manager. Customers who use this product are advised to review the security bulletin at KB0020564.
08 Nov 2019
Thales Product Security Team has investigated recently reported vulnerabilities in Sentinel LDK License Manager. Customers who use this product are advised to review the security bulletin at KB0020199.
15 Oct 2019
Thales Product Security Team has investigated recently reported vulnerabilities in Sentinel LDK License Manager when installed as a service. Customers who use this product as a service are advised to review the security bulletin at KB0020074.
02 May 2019
Thales Product Security Team has investigated recently reported vulnerabilities in Sentinel LDK product. There are no known exploits of these vulnerabilities. Further information on the vulnerability is available at the following security bulletin link: KB0018794.
For further questions or concerns, please contact customer support at https://supportportal.gemalto.com/
Minerva Vulnerability
05 December 2019
Additional information regarding the impact of the vulnerability on the smart cards can be found at the following link KB0020201.
21 November 2019
Czech academics have detailed a cryptographic attack that can recover Elliptic Curve Cryptography (ECC) private keys (ECDSA algorithms) used to sign operations on some smart cards and cryptographic libraries. Once obtained, the private key could allow attackers to spoof the attacked smartcards.
Thales takes this issue very seriously and is currently investigating the impact of this vulnerability on our smart cards. Further information is available at KB0020201.
Please continue to check the website where additional information will be posted as it becomes available.
CVE-2018-7183 NTP Vulnerability
27 November 2018
CVE-2018-7183 - Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 could allow remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array in the ntp client/daemon.
Thales Enterprise and Cybersecurity Team has investigated and applied additional security measures to address the impact of this vulnerability in Thales Network HSM/SafeNet Luna Network HSM products. Mitigation guidance and details may be found at KB0018260. There are no known exploits of this vulnerability.
Foreshadow Vulnerabilities
Update 5 Sept 2018
For further information on the mitigation guidelines, follow the security bulletin at the following link: KB0017929.
22 August 2018
The Thales Enterprise and Cybersecurity Team has investigated the recently announced vulnerabilities affected by two exploits known as Foreshadow and Foreshadow-Next Generation (NG). These vulnerabilities affect modern Intel processors and could allow unauthorized access to sensitive data stored in memory as documented in CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646.
The Foreshadow vulnerability (CVE-2018-3615) allows an attacker to extract data from SGX enclaves. None of Thales’s Enterprise and Cybersecurity products use SGX and are therefore NOT impacted by this vulnerability.
The Foreshadow Next-Generation (NG) vulnerabilities (CVE-2018-3620, CVE-2018-3646) affects Virtual Machines (VMs), hypervisors (VMM), operating system (OS) kernel memory and System Management Mode (SMM) memory. Intel has published a security advisory (INTEL-SA-00161) and released new microcode (patches) for the affected processors. Thales/SafeNet is following the security advisory and appropriate security patches are being deployed in the cloud environments.
Customers who deployed Thales products/services on premise should ensure that the operating systems and hypervisors of the host machines are patched with the latest security updates where applicable.
Customers who have questions about these vulnerabilities should get in touch with their usual Thales Customer Support contact.
CVE-2018-8340: ADFS Security Feature Bypass Vulnerability
23 August 2018
The Thales Enterprise and Cybersecurity Team has investigated the recently announced ADFS vulnerabilities and determined that Thales ADFS agents are not impacted by the CVE-2018-8340. Customers are advised to ensure that they update the latest patch (MFA) from Microsoft (CVE-2018-8340) to mitigate the risk. At this time we do not have any evidence of any exploit of this vulnerability in our ADFS agent.
Meltdown & Spectre Vulnerabilities
Update 1 June 2018
The Thales Security Team has investigated recently published vulnerabilities CVE-2018-3639/3640. Our investigation has concluded that for this category of vulnerability to be exploitable, an attacker would have to be able to execute an arbitrary (i.e. malicious) code within the appliance environment. Thales/SafeNet appliance products are not impacted as arbitrary code cannot be executed to exploit either of these vulnerability variants. Notwithstanding, customers should ensure that the operating systems and hypervisors of the host machines are patched where applicable.
Update 19 January 2018
The Thales Enterprise and Cybersecurity Security Team is continuing to investigate the impact of these vulnerabilities to our products and services, revising as more information is available. In general, if products/services employ a potentially vulnerable processor, security measures are in place to prevent exploitation of the vulnerabilities. Updated information may be found at: KB0017000.
Please continue to check this website where additional information will be posted as it becomes available.
Update 12 January 2018
The Thales Enterprise and Cybersecurity Security Team is continuing to investigate the impact of these vulnerabilities to our products and services, revising as more information is available. In general, if products/services employ a potentially vulnerable processor, security measures are in place to prevent exploitation of the vulnerabilities. Updated information may be found at: KB0017000.
Please continue to check this website where additional information will be posted as it becomes available.
Update 09 January 2018
The Thales Enterprise and Cybersecurity Security Team has investigated the impact of these vulnerabilities to our products and services. In general, if products/services employ a potentially vulnerable processor, security measures are in place to prevent exploitation of the vulnerabilities. Further information is available at KB0017000.
Please continue to check this website where additional information will be posted as it becomes available.
04 January 2018
It has recently been announced that three vulnerabilities affected by two exploits known as Meltdown and Spectre are affecting modern processors. These vulnerabilities could allow unauthorized access to sensitive data as documented in CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754.
Thales takes this issue very seriously and is investigating the impact of these vulnerabilities on our products and solutions. Thales CERT is also closely monitoring updated information related to patch availability. In parallel, we are coordinating a regular follow-up with our cloud service providers. We have set up a dedicated team of security experts to work on the situation and we will continue to monitor any developments.
Customers who have questions about these vulnerabilities should get in touch with their usual Thales Customer Support contact. Please continue to check this website where additional information will be posted as it becomes available.
Sentinel LDK Vulnerabilities
Update 12 April 2018
Customers who have Sentinel LDK (RTE) Run-time Environment version (v2.10-66) are advised to update their Sentinel LDK RTE to the latest Sentinel LDK RTE component (v7.80). Further information is available at the following security bulletin link: KB0017405.
Update 9 March 2018
Customers who have Sentinel LDK (RTE) Run-time Environment version (v2.10-63) are advised to update their Sentinel LDK RTE to the latest Sentinel LDK RTE component (v7.65). This update can be found on the Sentinel Downloads site.
25 January 2018
In September 2017, Thales/SafeNet published notice advising Sentinel customers of vulnerabilities associated with the use of Sentinel LDK EMS server and License Manager services. These vulnerabilities may impact the confidentiality and integrity of the services if exploited.
This notice is to remind customers using these services to follow the mitigation guidelines outlined in the security bulletin at the following link: KB0016365.
Thales would like to acknowledge Kaspersky for responsible disclosure of these vulnerabilities.
SAML-Based Security Vulnerabilities
5 March 2018
Thales Security Teams have investigated a new vulnerability class (CVE-2017-11427) that affects SAML-based single sign-on (SSO) systems reported by Duo Labs. This vulnerability, under certain conditions, could allow an attacker with authenticated access to a SAML Identity Provider (IdP) to impersonate a different user. Information on the vulnerabilities may be found at https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations.
Our analysis has determined that Thales Authentication Service (SAS); Thales Trusted Access (STA); and Data Protection as a Service (DPaaS) are NOT impacted by this vulnerability. Customers should validate that their SAML service providers are not impacted as well.
CVE-2017-15361 ROCA Vulnerability - Infineon RSA library does not properly generate RSA key pairs
Update - 30 November 2017
As part of our efforts to provide an interim solution to IDPrime.NET customers who have been affected by this ROCA vulnerability, we are releasing an updated version of our smart card middleware: IDGo 800 PKCS#11 v1.2.10, Thales Authentication Client 10.4 and Thales Minidriver 10.1. These releases enable the technical option outlined below as an interim solution. Clients who are using these products are directed KB0016843 for further information.
Update - 17 November 2017
As part of our efforts to provide an interim solution to IDPrime.NET customers who have been affected by this ROCA vulnerability, we are releasing updated versions of our smart card middleware: IDGo 800 Minidriver, Thales Minidriver 10.1 and Thales Authentication Client. Clients who are using these products are directed to KB0016772 for further information.
26 October 2017
Our investigation has determined that End-of-sale IDPrime.NET products are impacted. The severity of the impact is dependent on customer use case and configuration. Clients who are using these products are directed to KB0016635 for further information.
20 October 2017
We are aware of the potential security vulnerability relating to RSA key generation which affects Infineon software cryptographic libraries as published. The vulnerability is linked to the RSA on-board key generation library optionally bundled with the chip by the silicon manufacturer. Infineon have stated that the chip itself is not affected.
Thales’s Enterprise and Cybersecurity generally available and currently supported authentication and data encryption products are NOT affected by this potential issue. Our investigation has determined that End-of-sale IDPrime.NET products may be affected. Clients who are using these products are directed to KB0016635 for further information. Please continue to check this website where additional information will be posted as it becomes available.
BlueBorne Bluetooth Vulnerability
19 September 2017
The Thales security team has determined that the Thales CT1100 and Thales K1100 Reader are not exploitable by the BlueBorne BLE vulnerability, which may affect Bluetooth enabled devices. Since these Thales products require target devices to have an active Blueooth connection, which may make the device vulnerable to a BlueBorne attack, customers are advised to ensure that they have updated their Bluetooth interfaces with the corresponding fix on their OS from the respective OS vendor.
For more information about the BlueBorne Bluetooth vulnerability, please click HERE.
WannaCry Ransomware
15 May 2017
Thales/SafeNet is aware of the Shadow Brokers leak (WannaCry), mainly affecting Microsoft Windows services, and documented in MS17-010, MS14-068, MS10-061, MS09-050, MS08-067, CVE-2017-3623, CVE-2017-3622, CVE-2017-0146 and CVE-2017-0147, CVE-2014-6324, CVE-2009-3103, CVE-2008-4250, CVE-2003-0694 and CVE-2003-0681.
Our security teams are carrying out an inventory of potentially affected configurations. Depending on the level of exposure of each server, patches or containments are being deployed as soon as they are made available based on information from our suppliers. At this time we do not have evidence of any remote or local exploits for this vulnerability.
SAM Client Vulnerability
19 April 2017
SafeNet Authentication Manager Client is deployed with ActiveX components to perform actions on end-user filesystem and end-user tokens. This could allow an attacker to use a malicious JavaScript to invoke ActiveX methods to obtain unauthorized access to end user file system. Further information is available at: KB0015461.
There are no known exploits of this vulnerability.
CVE-2015-2808 ARCFOUR Vulnerability
29 March 2017
CVE-2015-2808 is a CVSS medium-severity rated vulnerability that could allow a remote attacker to conduct plaintext recovery attacks by sniffing initial network traffic and then using a brute-force attack to extract the first few bytes of information of an encrypted message in plaintext.
The Thales Security Team has investigated the potential impact of this vulnerability to our products. Further information is available at: https://supportportal.gemalto.com/csm?id=kb_article&sys_id=b784a4b54fbdf284873b69d18110c74d. There are no known exploits of this vulnerability.
APDU Protocol Weaknesses – eTokenPRO Java/SafeSite Classic
Update 27 January 2017
The information below has been updated to reflect mitigation strategies that may also be applicable to all eToken Java-based products. This information is outlined at https://kb.safenet-inc.com/kb/link.jsp?ID=TE2888.
16 September 2016
A recent research report highlighted weaknesses in the APDU protocol used to communicate with the eToken PRO Java tokens and SafeSite Classic TPC IS V1 smartcards.
Current Thales authentication tokens and middleware products are not affected by this report. Customers using end of sale eToken PRO Java tokens or older versions of Thales Authentication Client which may be affected are advised to follow the mitigation guidelines outlined in security bulletin https://kb.safenet-inc.com/kb/link.jsp?ID=TE2697.
Customers using End of Life SafeSite Classic TPC IS V1 smartcards are advised to follow the mitigation guidelines outlined in security bulletin https://kb.safenet-inc.com/kb/link.jsp?ID=TE2698.
OpenSSL Vulnerabilities CVE-2016-2107 and CVE-2016-2108
05 May 2016
OpenSSL announced two high severity vulnerabilities on 3 May 2016 as follows:
- Memory corruption in the ASN.1 encoder (CVE-2016-2108) https://www.openssl.org/news/secadv/20160503.txt
- Padding oracle in AES-NI CBC MAC check (CVE-2016-2107) https://www.openssl.org/news/secadv/20160503.txt
The Thales IDSS (SafeNet) Security Team is currently investigating the potential impact of these vulnerabilities to the IDSS product portfolio. At this time we do not have evidence of any remote or local exploits for this vulnerability. Further investigation updates will be posted as more information is available. Please continue to check for updates.
Multiple OpenSSL Vulnerabilities including CVE-2016-0800 (DROWN) and CVE-2016-0703 (Divide and Conquer)
Update 08 April 2016
Thales IDSS (SafeNet) Security Team investigation has determined that Thales IDSS products are not impacted by the CVE-2016-0800 (DROWN) and CVE-2016-0703 (Divide and Conquer) vulnerabilities.
1 March 2016
A number of vulnerabilities have been disclosed by OpenSSL including a high severity cross-protocol attack on TLS using SSLv2 identified as CVE-2016-0800 (DROWN) and a high severity divide-and-conquer key recovery attack identified as CVE-2016-0703 (Divide and Conquer) which can lead to a more efficient DROWN attack. A moderate severity vulnerability and multiple low severity vulnerabilities were also disclosed.
More information about these vulnerabilities is available in the OpenSSL Security Advisory at: https://www.openssl.org/news/secadv/20160301.txt.
The Thales IDSS (SafeNet) Security Team is currently investigating the potential impact of these vulnerabilities to our products. Further information will be posted as we have results.
SaS Privilage Escalation Vulnerability
31 March 2016
The installation of several Thales Authentication Service Agents is vulnerable to privilege escalation due to weak ACLs assigned in some of the installation subdirectories and executable modules. This vulnerability, if exploited, may impact the integrity and availability of the executed modules but does not have any confidentiality impact. The exploit of this vulnerability requires local access and has medium complexity for agents that reside on servers and low complexity for agents that reside on client hosts. There are no known exploits of this vulnerability.
This vulnerability has been assigned the following CVE numbers: CVE-2015-7596 through CVE-2015-7598 and CVE-2015-7961 through CVE-2015-7967.
Please log in to the SafeNet Customer Portal for additional information and available patches to address this vulnerability.
CVE-2015-7547
18 February 2016
A major vulnerability has been disclosed publicly as CVE-2015-7547 that could lead to a stack-based buffer overflow in glibc's v2.9 to v2.22 DNS resolver. More information is available from glibc developers at https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html.
The Thales Security Team is currently investigating the potential impact of this vulnerability to our products. Further information will be posted as we have results. We know of no known attacks that use this specific vulnerability.
OpenSSH Vulnerability CVE-2016-0777/0778
Update 22 January 2016
The Thales IDSS (SafeNet) Security Team has investigated OpenSSH vulnerabilities CVE-2016-0777/0778. Thales IDSS products are not impacted by this vulnerability. There are no known exploits of this vulnerability.
15 January 2016
OpenSSH client versions 5.4 through 7.1p1 support an undocumented feature called roaming. An information leak flaw was found in the way OpenSSH client roaming feature was implemented. The information leak is exploitable in the default configuration of certain versions of the OpenSSH client and could (depending on the client's version, compiler, and operating system) allow a malicious SSH server to steal the client's private keys. This flaw can only be triggered after successful authentication and therefore can only be exploited by a malicious or compromised SSH server. Man-in-the-middle (MITM) attackers cannot exploit this issue.
The Thales Security Team is currently investigating these vulnerabilities for potential impact to our products. At this time we do not have evidence of any remote or local exploits for this vulnerability. Limited information is obtainable, however https://www.kb.cert.org/vuls/id/456088 provides more details for customers that employ the client roaming feature in their products. Further investigation updates will be posted as more information is available.
OpenSSL Vulnerability CVE-2015-1793
10 July 2015
The Thales IDSS (SafeNet) Security Team has investigated OpenSSL vulnerability advisories issued 09 July 2015, CVE-2015-1793 affecting OpenSSL version 1.0.2b-c/1.0.1n-o. Thales IDSS products do not employ the affected versions of OpenSSL and are therefore not impacted by this vulnerability.
Security Update CVE-2015-5464
Update 29 July 2015
The severity of this vulnerability has been re-assessed as low according to the NIST Vulnerability Database CVSS score criteria. Despite this classification, Thales strongly encourages customers to apply the patch immediately to the Thales HSMs. Please log in to the SafeNet Customer Portal for additional information and available patches to address this vulnerability.
Update 24 July 2015
SafeNet confirms that this announcement is linked to CVE-2015-5464. A successful exploit would require local access to a fully authenticated session with the HSM. Multiple levels of authentication are also required to obtain the necessary access. The overall complexity of the exploit is medium as an attacker would have to obtain elevated access to systems authorized to use the HSM. A successful exploit would result in partial disclosure of information protected by the HSM. Modification or deletion of data is not impacted by the vulnerability. This vulnerability does not reduce the performance of the HSM or otherwise interrupt the availability of the HSM. There are no known exploits of this vulnerability. Thales is working to update the CVE severity information on NVD.
9 July 2015
The Thales IDSS Security Response team has recently identified a vulnerability affecting the Thales Luna HSM. There have been no known exploits of this vulnerability. The severity of the vulnerability is rated as high.
Please log in to the SafeNet Customer Portal for additional information and available patches to address this vulnerability.
CVE-2015-0291 OpenSSL/FREAK vulnerability
19 March 2015
SafeNet has investigated OpenSSL HIGH vulnerability advisories issued today regarding CVE-2015-0291 (OpenSSL 1.0.2 ClientHello sigalgs DoS) and increase in severity for CVE-2015-0204 (EXPORT_RSA [Client]). The results of our investigation are as follows:
1. OpenSSL 1.0.2 server - No impact
2. RSA Export - There is no change from earlier statements related to CVE-2015-0204 FREAK.
CVE-2015-0204 FREAK vulnerability
UPDATE 17 March 2015
The full portfolio review is now complete. There is no change from earlier statements. Our bulletin has been updated and finalized and is available at the SafeNet Customer Portal.
UPDATE 13 March 2015
At this time Thales does not have evidence of any remote or local exploits for this vulnerability. Thales is continuing to investigate and will post updates as soon as more information is available. Please see the SafeNet Customer Portal for more information.
06 March 2015
SafeNet is currently assessing US-CERT CVE-2015-0204 dubbed the FREAK (Factoring attack on RSA-EXPORT Keys) vulnerability. It could allow attackers to intercept HTTPS connections between vulnerable clients and servers and trick browsers to use a weak 'export-grade' RSA cryptography in lieu of strong RSA This key can then be decrypted or altered in a Man in the Middle (MITM) attack.
The Thales portfolio is undergoing a full vulnerability assessment in light of this information. Please continue to check regularly for updates.
CVE-2015-0235: GHOST Vulnerability
UPDATE 05 February 2015
On further investigation, Thales continues to find no evidence of any remote or local exploits for this vulnerability. Please see the SafeNet Customer Portal for additional information.
UPDATE 30 January 2015
At this time Thales does not have evidence of any remote or local exploits for this vulnerability. Thales is continuing to investigate and will post updates as soon as more information is available.
29 January 2015
SafeNet is currently assessing US-CERT CVE-2015-0235 Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18 a.k.a. GHOST that may allow context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235.
The Thales portfolio is undergoing a full vulnerability assessment in light of this information. Please continue to check regularly for updates.
Network Time Protocol Daemon Vulnerabilities
Update 23 December 2014
The Thales security team has determined that Thales products are not exploitable by these vulnerabilities at this time. Please check with Customer Support for more information.
22 December 2014
SafeNet is currently assessing US-CERT Vulnerability Note published 19 December 2014, http://www.kb.cert.org/vuls/id/852879 stating that the Network Time Protocol daemon (ntpd) contains multiple vulnerabilities. Thales is reviewing these vulnerabilities for potential impact to our products.
CVE-2014-8730
11 December 2014
SafeNet is currently assessing http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8730 published 10 December 2014 pertaining to TLS implementations omitting to check the padding structure after decryption. Such implementations may be vulnerable to the POODLE attack. This is not a protocol flaw (like SSL V3 in Poodle) but rather an implementation flaw. Thales is monitoring this vulnerability for potential impact to our products.
Please continue to check for updates.
SafeNet Authentication Service IIS/Sharepoint Agent Vulnerability
30 October 2014
SafeNet has been made aware of a vulnerability in the Thales Authentication Service IIS/Sharepoint agents. Please log in to the SafeNet Customer Portal for more information.
SafeNet Authentication Service Agent Vulnerability
27 October 2014
SafeNet has been made aware of a vulnerability in the Thales Authentication Service OWA agent. Please log in to the SafeNet Customer Portal for more information.
CVE-2014-3566: SSL v3.0 Vulnerability
UPDATE - 17 October 2014
Many products implementing TLS-based services allow for fallback to SSL v3.0 for compatibility reasons. CVE-2014-3566, published 14 October 2014 identified a vulnerability that could expose systems to man-in-the-middle attacks when such fallback is permitted. Details can be found at CVE-2014-3566.
Exploitation of this vulnerability would require a sophisticated attacker to have access to the network and defeat other protection offered by Thales products and our customers. Please see SafeNet Customer Portal for additional information.
CVE-2014-3566: SSLv3.0 protocol flaw (aka Poodle)
15 October 2014
SafeNet is currently assessing CVE-2014-3566 published 14 October 2014. This vulnerability could allow an attacker to exploit browser fallback to SSLv3.0 implementations that allow for interoperability with legacy systems.
This vulnerability is currently undergoing analysis and not all information is available. Please continue to check for updates.
Bash Vulnerability (CVE-2014-6271)
25 September 2014
SafeNet has been made aware of a vulnerability affecting all versions of the bash package as documented in CVE-2014-6271.
The Thales portfolio is undergoing a full vulnerability assessment in light of this announcement. In the event of a finding, product specific advisories, software patches, or new software downloads will be available in the SafeNet Customer Portal. Please continue to check regularly for updates or subscribe to specific product news feeds.
See more at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
UPDATE (26 September 2014)
The Thales Customer Portal link within the original post (above) has been updated.
UPDATE (1 October 2014)
The Thales Customer Portal link within the original post (above) has been updated.
BadUSB Vulnerability
22 August 2014
Recent research presented at Black Hat on August 7, 2014, demonstrated a new type of malware attacks targeted at USB devices. The attacks referred to as “BAD USB” describe a new attack vector where malware can infect the firmware of vulnerable USB devices. Once infected, the modified firmware controls the behavior of the USB device causing it to behave in a way contrary to its intended purpose. As the modified controller firmware cannot be scanned nor cleaned with current anti-malware solutions, the modified behavior can be exhibited without detection by the user. As explained by the researchers, the best protection against this vulnerability is to use code signing for firmware updates.
SafeNet Authentication USB tokens are protected from unauthorized firmware updates that may exist with a Bad USB attack. If you are using Thales USB Authentication tokens, please refer to the SafeNet Customer Portal for product-specific advisories related to this vulnerability.
OpenSSL Vulnerability Update
9 June 2014
For the latest, product specific update as it pertains to OpenSSL vulnerabilities, please review the links below.
OpenSSL Vulnerability Update
5 June 2014
SafeNet was notified of a number of OpenSSL vulnerabilities affecting all versions of OpenSSL.
VulnerabilityDescription
CVE-2014-0224SSL/TLS MITM vulnerability
CVE-2014-0221DTLS recursion flaw
CVE-2014-0195DTLS invalid fragment vulnerability
CVE-2014-0198SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
CVE-2010-5298SSL_MODE_RELEASE_BUFFERS session injection or denial of service
CVE-2014-3470Anonymous ECDH denial of service
While an impact assessment is being completed for all of these notifications against all of SafeNet’s products, CVE-2014-0224 is the most significant. A CCS Injection could allow for a man-in-the-middle attack against an encrypted connection making it possible for an attacker to potentially intercept an encrypted data stream and allowing an attacker to decrypt, view, and then manipulate the data in that stream. To be clear, the vulnerability can only be exploited if both server and client are vulnerable to this issue. In the event that only one of the two is vulnerable, there is no risk of exploitation.
The entire Thales portfolio is undergoing a full vulnerability assessment to all of today’s notifications. However, the following products have been cleared and determined to be free from these reported vulnerabilities.
Luna PCI 5.3 and earlier
Luna PCI 5.4
Luna IS 6.0 and earlier
Luna SP 2.x and earlier
Luna EFT 1.5 and earlier
KeySecure/DataSecure 6.x
KeySecure/DataSecure 7.x
KeySecure Clients
Crypto Command Center
In summary, many of Thales’s products utilize OpenSSL as a part of the solution. The impact of this reported vulnerability is currently being investigated and immediate mitigation action will be taken if required. Product specific advisories, software patches, or new software downloads for affected Thales products will be available in the Thales Customer Portal. Please continue to check regularly for updates or subscribe to specific product news feeds.