Infineon firmware security issues
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Jo6QvEJXJfQCfDxTQMptqAWL0Ku1cee9q Content-Type: multipart/mixed; boundary="euwd0OP654GGNcLdW6Guf5oX9JOBAWw2A"; protected-headers="v1" From: =?UTF-8?B?TWFyYyBEZXF1w6huZXMgKER1Y2sp?= <duck@redhat.com> To: oVirt Infra <infra@ovirt.org> Message-ID: <5ca02ec3-9742-187e-9a93-ca50b03778aa@redhat.com> Subject: Infineon firmware security issues --euwd0OP654GGNcLdW6Guf5oX9JOBAWw2A Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable Quack, So the news (thanks Misc for the alert): https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa-backgro= und This affects Yubikeys and other hardware: https://www.yubico.com/support/security-advisories/ysa-2017-01/ There's a nice tool to test if a key is vulnerable: https://github.com/crocs-muni/roca I tested keys in the oVirt Puppet repository and none are affected. You may check your other keys and ensure keys are checked in other projects. \_o< --euwd0OP654GGNcLdW6Guf5oX9JOBAWw2A-- --Jo6QvEJXJfQCfDxTQMptqAWL0Ku1cee9q Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEcpcqg+UmRT3yiF+BVen596wcRD8FAlnl08cACgkQVen596wc RD+oEg/+PFTrAc13zzF6ldhn/U1oq1wzh2HYaGQ62vw2nmC3BHeXVUqAUIUbWsSs UaQxDZRiuXxCnFgM45rWyiAjZiXg9Lgpt5gcCHOWJ6TsSzJh0j/gQFq75FPKYtrQ Lob1v8KMv2bF7jEF7QgwaIj/BwEDnZ+XN53/2fg4lQ97wb6WBb3caSjejhPzcR6+ zg14uZHAe9bvMUk7qMn8ybCrb5TjQEeepV40mpRLvtY5tyLBzxs9ho1UmL4w3BL7 9Grdr2r2shKiWYPdUIP/F6OAavKR1MNmW2N8ZIYaHKFaN19YXAc71w4h9nHeD18Q lM4p3hzT2/cHY/fnsmS5Y7jtUyXgPHJvlyi2AkMht9gfI2xn27yyQuaSh0JjU1M7 2NAW/h2Gssf3rAmmuc3P7Kbq6wEY+krWgJSlefjzeOTYrPMlPtij6DieMVwlyRhG ct4buRHRlRFku1SFeYSoTNGieCamIVSQ9VH3Iyk0/tNwL9mdrOLv91VT/L8WUpvl vV4qY8Vbh+8OF3lNhGHFPWhQkFW46yoBrbK4S/jxK+fIsy/h72+ZI8Nc3omw5t80 eKTb6FWLysDG0MJoYhl2zaP9wq86e9fIwXPfF75uO1z4w/5T0qbITnnCGReFgvVK rq5gs4J4/S3qCQVZ45aaz0DNdvfNnOKBLN89x5gwtaXDYq/+8wE= =+KxX -----END PGP SIGNATURE----- --Jo6QvEJXJfQCfDxTQMptqAWL0Ku1cee9q--
--=-FuYD2a40/Hlxr4npoJoN Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Le mardi 17 octobre 2017 =C3=A0 18:56 +0900, Marc Dequ=C3=A8nes (Duck) a = =C3=A9crit=C2=A0:
Quack, =20 So the news (thanks Misc for the alert): =20 https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa-bac kground =20 This affects Yubikeys and other hardware: =C2=A0 https://www.yubico.com/support/security-advisories/ysa-2017-01/ =20 There's a nice tool to test if a key is vulnerable: =C2=A0 https://github.com/crocs-muni/roca =20 I tested keys in the oVirt Puppet repository and none are affected. =20 You may check your other keys and ensure keys are checked in other projects.
Ideally, if someone could verify the key in Gerrit, it would be helpful. I removed mine, but I suspect i am not the only one who tried to follow best practices :) Debian, Github and Fedora did sent alert to people affected, and I am in the process of changing my key from the 50 to 60 place where I used it and I assume most affected people will be aware somehow, but automated removal from vulnerable systems would surely help.=20 --=20 Michael Scherer Sysadmin, Community Infrastructure and Platform, OSAS --=-FuYD2a40/Hlxr4npoJoN Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAABAgAGBQJZ5dv3AAoJEE89Wa+PrSK9Gh8P/jUcyZitOFfiAcUKRvzJ7q2L 6kL6JwoFNCfYfVX5nW2Snsrchjn8ASRf+iVifmoYd+1Au3Z7/3NCGLKmf9fclE5J B1K+JPYxRraffJ2X9tT27optNHhzwXYPNF8NXNjA34SX6fASxqkClvX9sp/le2q8 VSQ6QXHu00MKnQYBIuEyeOgB0LDbe+Mcd0e9SD6eONB5IVGBcz1h5gMwybVydFvR v967eN1qmiwHvqao4aadjinouFojw9D6MwUpyklHvYbhbtrh5LEOgZAjgE2nKQqq GeE09521ujpXIQjSMtn4yQf91CPmqOTc+o7tpTDMWSyHHVvaxnxBbGFH/tvl2SEg AWAJbjJHwp+LxfgGYcKd+ewup8wpw9e74uWDXIgtKN+TH3OQN81OWa6+UOWVa9wW XzZzHLC7u398EM86w3xDKrq/wDymCpoOss3lbDkB9b49la7iCG1gkvbSuN5rbiIi dWD0InzUn6GcG1Nvdyhwr1MGuU0AyUC2KyrxWM4CUJqmJ74jT9ruBlQIAwYlhWOR BpSEC9LBsJy6hXjkCgbgz+tM5HJMF2c/uoPSkPfq8pZ7eKRLtqRadRDSI1E/jypo pKUBaML7WIr3YtfL/fAfrOMoLaBboatQ57m/A8TZvNjP2C03IDtzXeBYqYuP1n+5 P6FmokgWtAgGGZkOcbQp =JyOr -----END PGP SIGNATURE----- --=-FuYD2a40/Hlxr4npoJoN--
On Tue, Oct 17, 2017 at 1:31 PM, Michael Scherer <mscherer@redhat.com> wrote:
Le mardi 17 octobre 2017 à 18:56 +0900, Marc Dequènes (Duck) a écrit :
Quack,
So the news (thanks Misc for the alert):
https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa-bac kground
This affects Yubikeys and other hardware: https://www.yubico.com/support/security-advisories/ysa-2017-01/
There's a nice tool to test if a key is vulnerable: https://github.com/crocs-muni/roca
I tested keys in the oVirt Puppet repository and none are affected.
You may check your other keys and ensure keys are checked in other projects.
Ideally, if someone could verify the key in Gerrit, it would be helpful. I removed mine, but I suspect i am not the only one who tried to follow best practices :)
If you run the tool locally on your .ssh/ dir, it should include already the public key you have on Gerrit no? We'll need to check if its possible to run that tool on Gerrit and if the keys are even stored on the fs and not inside the Gerrit DB.
Debian, Github and Fedora did sent alert to people affected, and I am in the process of changing my key from the 50 to 60 place where I used it and I assume most affected people will be aware somehow, but automated removal from vulnerable systems would surely help.
-- Michael Scherer Sysadmin, Community Infrastructure and Platform, OSAS
_______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
-- Eyal edri MANAGER RHV DevOps EMEA VIRTUALIZATION R&D Red Hat EMEA <https://www.redhat.com/> <https://red.ht/sig> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted> phone: +972-9-7692018 irc: eedri (on #tlv #rhev-dev #rhev-integ)
--=-qS1V/lnImcC+8p0p3+ll Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Le mardi 17 octobre 2017 =C3=A0 13:36 +0300, Eyal Edri a =C3=A9crit=C2=A0:
On Tue, Oct 17, 2017 at 1:31 PM, Michael Scherer <mscherer@redhat.com
Quack, =20 So the news (thanks Misc for the alert): =20 https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa -bac kground =20 This affects Yubikeys and other hardware: =C2=A0 https://www.yubico.com/support/security-advisories/ysa-2017-01= / =20 There's a nice tool to test if a key is vulnerable: =C2=A0 https://github.com/crocs-muni/roca =20 I tested keys in the oVirt Puppet repository and none are affected. =20 You may check your other keys and ensure keys are checked in other projects. =20 Ideally, if someone could verify the key in Gerrit, it would be helpful. I removed mine, but I suspect i am not the only one who
Le mardi 17 octobre 2017 =C3=A0 18:56 +0900, Marc Dequ=C3=A8nes (Duck) = a =C3=A9crit : tried to follow best practices :) =20 =20 If you run the tool locally on your .ssh/ dir, it should include already
wrote: =20 the public key you have on Gerrit no?
Well, I know my key is vulnerable, got notified by Fedora and Github. But I just do not know where I used it exactly, because I have account everywhere, and that's likely that I may forget it in some place.
We'll need to check if its possible to run that tool on Gerrit and if the keys are even stored on the fs and not inside the Gerrit DB.
If they are in the DB, we can extract it with a sql request ILMHO. I plan to look at Gluster's gerrit instance once I finish my own cleanup and key generation, which is a rather tedious task (cause I also found out that my backup key is not working anymore for a unknown reason). --=20 Michael Scherer Sysadmin, Community Infrastructure and Platform, OSAS --=-qS1V/lnImcC+8p0p3+ll Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAABAgAGBQJZ5d7yAAoJEE89Wa+PrSK9QMsQAJhB3Dr8eQTOco4huKrFCDr8 YFTC3wEEQj4ZNPSBcuwQ7Kf/SZOEsHsWUSL3xlPZxq7kWPk1dduu2146Pzw7drZf xHzn/jscRs5UPnSgy9KbaCpZUdQ+vS1EMtSwd+2HSO2Uq98ZiSSuQ5gbXvOMQO8h aEuXiWkdc8wRsKfi9nwheiCTohLqWVb+aCKxjJGfB2ycKXRVhd4LRsotGS+3Jq5x 8Th4/axJlBawUdr+5rLBZ1OE9tdrYIZ/thVI6NhGuOPI9frLNO+qITsxMcNERm0I TT6zdEmZBpt6eXNSJYEttqf49js9cxI7B2CZHTe+xqX+/KSWEEjCkkSoKmN8iHi4 dCD1QM/uSZaGv9q6IcbQmO0wKwavRVJnvC9dRdSEHm3Icf3eXWqsz+tnFemTjkB8 kvlBB0/Tx8nEfc38wPnl4tPYNJtb56CxPd0QiAqIDjSUe+n01LcS1LOk5xqR2L44 vqMhZXOAsBEcoc50GkZRlnT2LiBpkGZsL5kv/Mx6bY7aP0bYMoLvATEezh7G1EVn +gGnvZdhBMURDBQctgMlPd0qUrrU4hcEy0lY9uK4x1tkF0lUqqcq3OYax3jyjk6+ e50TW4bX+igGaehqz52sWWRMOcy+aQFJ3NAnNIjtho3YBlL9al/jhPcVY49GX0UT XKr3VHZ270XVg4Ndklui =BmGJ -----END PGP SIGNATURE----- --=-qS1V/lnImcC+8p0p3+ll--
Thanks, So if I have an old YubiKey ( 2.43 ) I shouldn't be affected right? only V4 is ? On Tue, Oct 17, 2017 at 12:56 PM, Marc Dequènes (Duck) <duck@redhat.com> wrote:
Quack,
So the news (thanks Misc for the alert):
https://www.infineon.com/cms/en/product/promopages/rsa- update/rsa-background
This affects Yubikeys and other hardware: https://www.yubico.com/support/security-advisories/ysa-2017-01/
There's a nice tool to test if a key is vulnerable: https://github.com/crocs-muni/roca
I tested keys in the oVirt Puppet repository and none are affected.
You may check your other keys and ensure keys are checked in other projects.
\_o<
_______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
-- Eyal edri MANAGER RHV DevOps EMEA VIRTUALIZATION R&D Red Hat EMEA <https://www.redhat.com/> <https://red.ht/sig> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted> phone: +972-9-7692018 irc: eedri (on #tlv #rhev-dev #rhev-integ)
--=-MN1YiBFHlv1TjrbX85/D Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Le mardi 17 octobre 2017 =C3=A0 13:33 +0300, Eyal Edri a =C3=A9crit=C2=A0:
Thanks, =20 So if I have an old YubiKey ( 2.43 ) I shouldn't be affected right? only V4 is ?
That's what the post on yubico.com seems to imply. We do not know what chipset is used in the key, so I can't give a educated guess. But I hear people using yubikey neo weren't affected. Now, only the CCID function is problematic, and only if you did generate the ssh key on the chip (e.g., followed official doc on https ://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html and used "yubico-piv-tool -s 9a -a generate -o public.pem" ) If you imported the key, then that should be ok. If you use the yubikey for non smartcard use (e.g. U2F, 2FA for RH VPN or similar system ), that's ok too.
On Tue, Oct 17, 2017 at 12:56 PM, Marc Dequ=C3=A8nes (Duck) <duck@redhat.com> wrote: =20
Quack, =20 So the news (thanks Misc for the alert): =20 https://www.infineon.com/cms/en/product/promopages/rsa- update/rsa-background =20 This affects Yubikeys and other hardware: =C2=A0 https://www.yubico.com/support/security-advisories/ysa-2017-01/ =20 There's a nice tool to test if a key is vulnerable: =C2=A0 https://github.com/crocs-muni/roca =20 I tested keys in the oVirt Puppet repository and none are affected. =20 You may check your other keys and ensure keys are checked in other projects. =20 \_o< =20 =20 _______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra =20 =20 =20 =20
Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra --=20 Michael Scherer Sysadmin, Community Infrastructure and Platform, OSAS
--=-MN1YiBFHlv1TjrbX85/D Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAABAgAGBQJZ5eENAAoJEE89Wa+PrSK9PvAP/2/FVqtHxod/zaLsmiKDANam BZbEAVN/wlggHkVDot6lexDqu386om21lp0ctcv0GbECbJ7sSY2+IIgyCUR/iofP 7xYQ+swKO0H2k3Rnl7Ur5tU1Rk/tiy8MI3ikJObULUDzawQ3icSHYSspo4EaiS75 n5ov3rrmIR//jk/3ZnZ+IZYZfGjjqq6FuyKa453/KF1vaJqy0STdqbm7h6HkY7Oc aSaFMQDYnmlYlziKrxwlhV1tqkL032ppWnshVi8Y90gr17WdIAFLFZLyfS0X1UZD bccBt4940Y1RxEVWfsORetp3C2iSNWLyGrlJzaI9hOmpB62if7EEH6CowphPq9dQ O04pvph//vyNogTVCFXv0dJcJaveWN12nUftpcrQ1kDje66P3Zda+zlLuuscM5y3 3F2QYZt9qKlQzBOM97XFxSDJbLZA9/rxfXYH3LHP/iuQ1cCk6MIUwaKPQfmss933 FinMxzsuEbYxGQAA8a+a6bAYoBOJEZmkZ+G9IPuCOhlZSVoAdQ9tAE0/mG9KtdRw DD1WJXKgEB75POxZYhZ8gM+bnlh5C95jD+js4EjS+gtwnFbpxDtV5TDq68A2m5v2 qWH0oXn31l4DaSEabuJ5XO6RzKjhveAzWzcYHNpL+7iu0rJ3svQ5uE7jZzxA/V3n 4qOyDkm7YruevKz6sB6N =LCGh -----END PGP SIGNATURE----- --=-MN1YiBFHlv1TjrbX85/D--
participants (3)
-
Eyal Edri -
Marc Dequènes (Duck) -
Michael Scherer