cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AppDefects
Community Champion

HSM Testing and Defect Discovery

At this years Black Hat USA we'll see a presentation from a couple of researchers that discovered remote unauthenticated attacks giving full control of a Hardware Security Module (HSM) and complete access to keys and secrets stored on it. That's pretty serious stuff! Cryptosense validated the vulnerability here.

 

Researchers used the SDK provided with the HSM to upload a custom firmware module to the unit. This gave them access to a shell inside the HSM that they could use to run a debugger and analyze the inner workings of the unit. From there, they ran a fuzzer to send random queries to the HSMs PKCS #11 API looking for parameters that would throw the HSM into an unstable state. The tests uncovered several buffer overflow error bugs that they could trigger by sending the HSM certain commands.

4 Replies
MikeGlassman
Contributor II

This is all good and well, but the topic should be changed to:

 

"HSM (insecurity) flaw in unnamed HSM hardware"

 

People might speed read and think every HSM has or might have the same flaw.

Sincerely,

Mike Glassman, CISSP
Iguana man
RobertM
Newcomer II

It's probably the Gemalto Ledger Vault HSM. Not the Safenet Line of products:

https://safenet.gemalto.com/technical-support/security-updates/

AppDefects
Community Champion

You nailed it @RobertM with that link. The specific issue is with Gemalto ProtectServer HSMs running firmware versions from 3.20.00 to 3.20.10 and ProtectServer-2 HSMs running firmware between 5.00.02 and 5.03.00. 

AppDefects
Community Champion


@MikeGlassman wrote:

 

People might speed read and think every HSM has or might have the same flaw.


You're right the sky is not falling and the design "flaw" is not systemic. We can still have faith in HSMs.