Infineon firmware security issues

Michael Scherer mscherer at redhat.com
Tue Oct 17 10:53:01 UTC 2017 

Le mardi 17 octobre 2017 à 13:33 +0300, Eyal Edri a écrit :
> Thanks,
> 
> So if I have an old YubiKey ( 2.43 ) I shouldn't be affected right?
> only V4
> is ?

That's what the post on yubico.com seems to imply. We do not know what
chipset is used in the key, so I can't give a educated guess. But I
hear people using yubikey neo weren't affected.

Now, only the CCID function is problematic, and only if you did
generate the ssh key on the chip (e.g., followed official doc on  https
://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html and
used "yubico-piv-tool -s 9a -a generate -o public.pem" )

If you imported the key, then that should be ok.

If you use the yubikey for non smartcard use (e.g. U2F, 2FA for RH VPN
or similar system ), that's ok too.



> On Tue, Oct 17, 2017 at 12:56 PM, Marc Dequènes (Duck)
> <duck at redhat.com>
> wrote:
> 
> > Quack,
> > 
> > So the news (thanks Misc for the alert):
> > 
> > https://www.infineon.com/cms/en/product/promopages/rsa-
> > update/rsa-background
> > 
> > This affects Yubikeys and other hardware:
> >   https://www.yubico.com/support/security-advisories/ysa-2017-01/
> > 
> > There's a nice tool to test if a key is vulnerable:
> >   https://github.com/crocs-muni/roca
> > 
> > I tested keys in the oVirt Puppet repository and none are affected.
> > 
> > You may check your other keys and ensure keys are checked in other
> > projects.
> > 
> > \_o<
> > 
> > 
> > _______________________________________________
> > Infra mailing list
> > Infra at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/infra
> > 
> > 
> 
> 
> _______________________________________________
> Infra mailing list
> Infra at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/infra
-- 
Michael Scherer
Sysadmin, Community Infrastructure and Platform, OSAS

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.ovirt.org/pipermail/infra/attachments/20171017/e222f6e1/attachment.sig>

More information about the Infra mailing list