Vulnerability-Lookup

CVE-2019-16863 (GCVE-0-2019-16863)

Vulnerability from cvelistv5 – Published: 2019-11-14 02:07 – Updated: 2024-08-05 01:24

Summary

STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	http://tpm.fail	x_refsource_MISC
	https://support.f5.com/csp/article/K32412503?utm_…	x_refsource_CONFIRM
	https://support.hpe.com/hpsc/doc/public/display?d…	x_refsource_CONFIRM
	https://support.lenovo.com/us/en/product_security…	x_refsource_CONFIRM
	https://www.st.com/content/st_com/en/campaigns/tp…	x_refsource_CONFIRM
	https://portal.msrc.microsoft.com/en-US/security-…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T01:24:48.370Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://tpm.fail"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.f5.com/csp/article/K32412503?utm_source=f5support\u0026amp%3Butm_medium=RSS"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03972en_us"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.lenovo.com/us/en/product_security/LEN-29406"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.st.com/content/st_com/en/campaigns/tpm-update.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-11-22T15:38:53.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://tpm.fail"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.f5.com/csp/article/K32412503?utm_source=f5support\u0026amp%3Butm_medium=RSS"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03972en_us"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.lenovo.com/us/en/product_security/LEN-29406"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.st.com/content/st_com/en/campaigns/tpm-update.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-16863",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://tpm.fail",
              "refsource": "MISC",
              "url": "http://tpm.fail"
            },
            {
              "name": "https://support.f5.com/csp/article/K32412503?utm_source=f5support\u0026amp;utm_medium=RSS",
              "refsource": "CONFIRM",
              "url": "https://support.f5.com/csp/article/K32412503?utm_source=f5support\u0026amp;utm_medium=RSS"
            },
            {
              "name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03972en_us",
              "refsource": "CONFIRM",
              "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03972en_us"
            },
            {
              "name": "https://support.lenovo.com/us/en/product_security/LEN-29406",
              "refsource": "CONFIRM",
              "url": "https://support.lenovo.com/us/en/product_security/LEN-29406"
            },
            {
              "name": "https://www.st.com/content/st_com/en/campaigns/tpm-update.html",
              "refsource": "CONFIRM",
              "url": "https://www.st.com/content/st_com/en/campaigns/tpm-update.html"
            },
            {
              "name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024",
              "refsource": "MISC",
              "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-16863",
    "datePublished": "2019-11-14T02:07:52.000Z",
    "dateReserved": "2019-09-24T00:00:00.000Z",
    "dateUpdated": "2024-08-05T01:24:48.370Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2019-16863",
      "date": "2026-05-05",
      "epss": "0.00265",
      "percentile": "0.4983"
    },
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:st:st33tphf2espi_firmware:71.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1E02FA82-86F3-455A-96B4-0CF6AD5300AB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:st:st33tphf2espi_firmware:71.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D45CA39E-D389-4814-9F17-BB80E31111D6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:st:st33tphf2espi_firmware:71.12:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"16E689C5-8859-4324-929D-5F22BF852699\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:st:st33tphf2espi_firmware:73.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"00ED1FEA-D1BD-46B0-98C0-318431C2BDF2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:st:st33tphf2espi_firmware:73.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"97A26020-0E69-43D9-8422-51802E70111C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:st:st33tphf2espi_firmware:73.8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"262725D9-6D98-41C7-827F-AE4FA29E779D\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:st:st33tphf2espi:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"69A66F8A-B19E-42EC-9050-4EDD6810F6F9\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:st:st33tphf2ei2c_firmware:73.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"208125BB-4384-410A-8694-1C55949BA585\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:st:st33tphf2ei2c_firmware:73.9:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B31602FD-7B13-440F-9A8E-3B8CB560B129\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:st:st33tphf2ei2c:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9236BB07-5AB5-4361-8632-500FF117FC8D\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:st:st33tphf20spi_firmware:74.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1A4B6FAF-F55B-48FC-8CF5-14416C696C20\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:st:st33tphf20spi_firmware:74.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EECD04C3-257B-4269-B62F-6F4364BEBCD3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:st:st33tphf20spi_firmware:74.8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A5C09245-C219-4D4C-AECF-BFECB5BDAC9D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:st:st33tphf20spi_firmware:74.16:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"54267EB9-94CA-41D9-987C-0B310E620161\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:st:st33tphf20spi:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5AD1B922-F920-48CD-AD8A-8FFF07E7005C\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:st:st33tphf20i2c_firmware:74.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"305B9B97-8EFE-4666-82EF-3BA7059F3925\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:st:st33tphf20i2c_firmware:74.9:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"23448585-9D09-44FB-B26E-A7074AE9B9C4\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:st:st33tphf20i2c:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"66CEA512-EA0A-4E31-891B-27AC1E7B5E00\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.\"}, {\"lang\": \"es\", \"value\": \"Los dispositivos STMicroelectronics ST33TPHF2ESPI TPM antes del 12-09-2019, permiten a atacantes extraer la clave privada ECDSA por medio de un ataque de sincronizaci\\u00f3n de canal lateral porque la multiplicaci\\u00f3n escalar de ECDSA es manejada inapropiadamente, tambi\\u00e9n se conoce como TPM-FAIL.\"}]",
      "id": "CVE-2019-16863",
      "lastModified": "2024-11-21T04:31:13.540",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:N/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2019-11-14T03:15:11.510",
      "references": "[{\"url\": \"http://tpm.fail\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://support.f5.com/csp/article/K32412503?utm_source=f5support\u0026amp%3Butm_medium=RSS\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03972en_us\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://support.lenovo.com/us/en/product_security/LEN-29406\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.st.com/content/st_com/en/campaigns/tpm-update.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://tpm.fail\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://support.f5.com/csp/article/K32412503?utm_source=f5support\u0026amp%3Butm_medium=RSS\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03972en_us\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://support.lenovo.com/us/en/product_security/LEN-29406\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.st.com/content/st_com/en/campaigns/tpm-update.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-203\"}, {\"lang\": \"en\", \"value\": \"CWE-327\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-16863\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2019-11-14T03:15:11.510\",\"lastModified\":\"2024-11-21T04:31:13.540\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.\"},{\"lang\":\"es\",\"value\":\"Los dispositivos STMicroelectronics ST33TPHF2ESPI TPM antes del 12-09-2019, permiten a atacantes extraer la clave privada ECDSA por medio de un ataque de sincronizaci\u00f3n de canal lateral porque la multiplicaci\u00f3n escalar de ECDSA es manejada inapropiadamente, tambi\u00e9n se conoce como TPM-FAIL.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:N/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-203\"},{\"lang\":\"en\",\"value\":\"CWE-327\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:st:st33tphf2espi_firmware:71.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1E02FA82-86F3-455A-96B4-0CF6AD5300AB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:st:st33tphf2espi_firmware:71.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D45CA39E-D389-4814-9F17-BB80E31111D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:st:st33tphf2espi_firmware:71.12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"16E689C5-8859-4324-929D-5F22BF852699\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:st:st33tphf2espi_firmware:73.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"00ED1FEA-D1BD-46B0-98C0-318431C2BDF2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:st:st33tphf2espi_firmware:73.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"97A26020-0E69-43D9-8422-51802E70111C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:st:st33tphf2espi_firmware:73.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"262725D9-6D98-41C7-827F-AE4FA29E779D\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:st:st33tphf2espi:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"69A66F8A-B19E-42EC-9050-4EDD6810F6F9\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:st:st33tphf2ei2c_firmware:73.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"208125BB-4384-410A-8694-1C55949BA585\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:st:st33tphf2ei2c_firmware:73.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B31602FD-7B13-440F-9A8E-3B8CB560B129\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:st:st33tphf2ei2c:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9236BB07-5AB5-4361-8632-500FF117FC8D\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:st:st33tphf20spi_firmware:74.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1A4B6FAF-F55B-48FC-8CF5-14416C696C20\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:st:st33tphf20spi_firmware:74.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EECD04C3-257B-4269-B62F-6F4364BEBCD3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:st:st33tphf20spi_firmware:74.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A5C09245-C219-4D4C-AECF-BFECB5BDAC9D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:st:st33tphf20spi_firmware:74.16:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"54267EB9-94CA-41D9-987C-0B310E620161\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:st:st33tphf20spi:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5AD1B922-F920-48CD-AD8A-8FFF07E7005C\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:st:st33tphf20i2c_firmware:74.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"305B9B97-8EFE-4666-82EF-3BA7059F3925\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:st:st33tphf20i2c_firmware:74.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"23448585-9D09-44FB-B26E-A7074AE9B9C4\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:st:st33tphf20i2c:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"66CEA512-EA0A-4E31-891B-27AC1E7B5E00\"}]}]}],\"references\":[{\"url\":\"http://tpm.fail\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://support.f5.com/csp/article/K32412503?utm_source=f5support\u0026amp%3Butm_medium=RSS\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03972en_us\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://support.lenovo.com/us/en/product_security/LEN-29406\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.st.com/content/st_com/en/campaigns/tpm-update.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://tpm.fail\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://support.f5.com/csp/article/K32412503?utm_source=f5support\u0026amp%3Butm_medium=RSS\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03972en_us\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://support.lenovo.com/us/en/product_security/LEN-29406\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.st.com/content/st_com/en/campaigns/tpm-update.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

FKIE_CVE-2019-16863

Vulnerability from fkie_nvd - Published: 2019-11-14 03:15 - Updated: 2024-11-21 04:31

Severity ?

5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
cve@mitre.org	http://tpm.fail	Third Party Advisory
cve@mitre.org	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024	Third Party Advisory
cve@mitre.org	https://support.f5.com/csp/article/K32412503?utm_source=f5support&amp%3Butm_medium=RSS
cve@mitre.org	https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03972en_us	Third Party Advisory
cve@mitre.org	https://support.lenovo.com/us/en/product_security/LEN-29406	Third Party Advisory
cve@mitre.org	https://www.st.com/content/st_com/en/campaigns/tpm-update.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://tpm.fail	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://support.f5.com/csp/article/K32412503?utm_source=f5support&amp%3Butm_medium=RSS
af854a3a-2127-422b-91ae-364da2661108	https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03972en_us	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://support.lenovo.com/us/en/product_security/LEN-29406	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.st.com/content/st_com/en/campaigns/tpm-update.html	Vendor Advisory

Impacted products

Vendor	Product	Version
st	st33tphf2espi_firmware	71.0
st	st33tphf2espi_firmware	71.4
st	st33tphf2espi_firmware	71.12
st	st33tphf2espi_firmware	73.0
st	st33tphf2espi_firmware	73.4
st	st33tphf2espi_firmware	73.8
st	st33tphf2espi	-
st	st33tphf2ei2c_firmware	73.5
st	st33tphf2ei2c_firmware	73.9
st	st33tphf2ei2c	-
st	st33tphf20spi_firmware	74.0
st	st33tphf20spi_firmware	74.4
st	st33tphf20spi_firmware	74.8
st	st33tphf20spi_firmware	74.16
st	st33tphf20spi	-
st	st33tphf20i2c_firmware	74.5
st	st33tphf20i2c_firmware	74.9
st	st33tphf20i2c	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:st:st33tphf2espi_firmware:71.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1E02FA82-86F3-455A-96B4-0CF6AD5300AB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:st:st33tphf2espi_firmware:71.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "D45CA39E-D389-4814-9F17-BB80E31111D6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:st:st33tphf2espi_firmware:71.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "16E689C5-8859-4324-929D-5F22BF852699",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:st:st33tphf2espi_firmware:73.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "00ED1FEA-D1BD-46B0-98C0-318431C2BDF2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:st:st33tphf2espi_firmware:73.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "97A26020-0E69-43D9-8422-51802E70111C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:st:st33tphf2espi_firmware:73.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "262725D9-6D98-41C7-827F-AE4FA29E779D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:st:st33tphf2espi:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "69A66F8A-B19E-42EC-9050-4EDD6810F6F9",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:st:st33tphf2ei2c_firmware:73.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "208125BB-4384-410A-8694-1C55949BA585",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:st:st33tphf2ei2c_firmware:73.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "B31602FD-7B13-440F-9A8E-3B8CB560B129",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:st:st33tphf2ei2c:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "9236BB07-5AB5-4361-8632-500FF117FC8D",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:st:st33tphf20spi_firmware:74.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1A4B6FAF-F55B-48FC-8CF5-14416C696C20",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:st:st33tphf20spi_firmware:74.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "EECD04C3-257B-4269-B62F-6F4364BEBCD3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:st:st33tphf20spi_firmware:74.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "A5C09245-C219-4D4C-AECF-BFECB5BDAC9D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:st:st33tphf20spi_firmware:74.16:*:*:*:*:*:*:*",
              "matchCriteriaId": "54267EB9-94CA-41D9-987C-0B310E620161",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:st:st33tphf20spi:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5AD1B922-F920-48CD-AD8A-8FFF07E7005C",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:st:st33tphf20i2c_firmware:74.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "305B9B97-8EFE-4666-82EF-3BA7059F3925",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:st:st33tphf20i2c_firmware:74.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "23448585-9D09-44FB-B26E-A7074AE9B9C4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:st:st33tphf20i2c:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "66CEA512-EA0A-4E31-891B-27AC1E7B5E00",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL."
    },
    {
      "lang": "es",
      "value": "Los dispositivos STMicroelectronics ST33TPHF2ESPI TPM antes del 12-09-2019, permiten a atacantes extraer la clave privada ECDSA por medio de un ataque de sincronizaci\u00f3n de canal lateral porque la multiplicaci\u00f3n escalar de ECDSA es manejada inapropiadamente, tambi\u00e9n se conoce como TPM-FAIL."
    }
  ],
  "id": "CVE-2019-16863",
  "lastModified": "2024-11-21T04:31:13.540",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-11-14T03:15:11.510",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://tpm.fail"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://support.f5.com/csp/article/K32412503?utm_source=f5support\u0026amp%3Butm_medium=RSS"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03972en_us"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://support.lenovo.com/us/en/product_security/LEN-29406"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.st.com/content/st_com/en/campaigns/tpm-update.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://tpm.fail"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://support.f5.com/csp/article/K32412503?utm_source=f5support\u0026amp%3Butm_medium=RSS"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03972en_us"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://support.lenovo.com/us/en/product_security/LEN-29406"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.st.com/content/st_com/en/campaigns/tpm-update.html"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-203"
        },
        {
          "lang": "en",
          "value": "CWE-327"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2019-16863

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2019-16863

Aliases

CVE-2019-16863

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-16863",
    "description": "STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.",
    "id": "GSD-2019-16863"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-16863"
      ],
      "details": "STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.",
      "id": "GSD-2019-16863",
      "modified": "2023-12-13T01:23:40.277312Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2019-16863",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://tpm.fail",
            "refsource": "MISC",
            "url": "http://tpm.fail"
          },
          {
            "name": "https://support.f5.com/csp/article/K32412503?utm_source=f5support\u0026amp;utm_medium=RSS",
            "refsource": "CONFIRM",
            "url": "https://support.f5.com/csp/article/K32412503?utm_source=f5support\u0026amp;utm_medium=RSS"
          },
          {
            "name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03972en_us",
            "refsource": "CONFIRM",
            "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03972en_us"
          },
          {
            "name": "https://support.lenovo.com/us/en/product_security/LEN-29406",
            "refsource": "CONFIRM",
            "url": "https://support.lenovo.com/us/en/product_security/LEN-29406"
          },
          {
            "name": "https://www.st.com/content/st_com/en/campaigns/tpm-update.html",
            "refsource": "CONFIRM",
            "url": "https://www.st.com/content/st_com/en/campaigns/tpm-update.html"
          },
          {
            "name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024",
            "refsource": "MISC",
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:st:st33tphf2espi_firmware:71.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:st:st33tphf2espi_firmware:71.4:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:st:st33tphf2espi_firmware:71.12:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:st:st33tphf2espi_firmware:73.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:st:st33tphf2espi_firmware:73.4:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:st:st33tphf2espi_firmware:73.8:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:st:st33tphf2espi:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:st:st33tphf2ei2c_firmware:73.5:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:st:st33tphf2ei2c_firmware:73.9:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:st:st33tphf2ei2c:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:st:st33tphf20spi_firmware:74.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:st:st33tphf20spi_firmware:74.4:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:st:st33tphf20spi_firmware:74.8:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:st:st33tphf20spi_firmware:74.16:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:st:st33tphf20spi:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:st:st33tphf20i2c_firmware:74.5:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:st:st33tphf20i2c_firmware:74.9:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:st:st33tphf20i2c:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-16863"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-327"
                },
                {
                  "lang": "en",
                  "value": "CWE-203"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://tpm.fail",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://tpm.fail"
            },
            {
              "name": "https://support.f5.com/csp/article/K32412503?utm_source=f5support\u0026amp;utm_medium=RSS",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://support.f5.com/csp/article/K32412503?utm_source=f5support\u0026amp;utm_medium=RSS"
            },
            {
              "name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03972en_us",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03972en_us"
            },
            {
              "name": "https://support.lenovo.com/us/en/product_security/LEN-29406",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://support.lenovo.com/us/en/product_security/LEN-29406"
            },
            {
              "name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024"
            },
            {
              "name": "https://www.st.com/content/st_com/en/campaigns/tpm-update.html",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.st.com/content/st_com/en/campaigns/tpm-update.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.2,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-05-03T14:28Z",
      "publishedDate": "2019-11-14T03:15Z"
    }
  }
}

CERTFR-2019-AVI-595

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été découverte dans les TPM STMicroelectronics. Elle permet à un attaquant de provoquer une atteinte à l'intégrité des données et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
STMicroelectronics	ST33TPHF2EI2C	ST33TPHF2EI2C dont la version du microgiciel est antérieures à 73.65
STMicroelectronics	ST33TPHF2ESPI	ST33TPHF2ESPI dont la version du microgiciel est antérieures à 73.64
STMicroelectronics	ST33TPHF2EI2C	ST33TPHF2EI2C dont la version du microgiciel est antérieures à 73.21
STMicroelectronics	ST33TPHF20I2C	ST33TPHF20I2C dont la version du microgiciel est antérieures à 74.65
STMicroelectronics	ST33TPHF20SPI	ST33TPHF20SPI dont la version du microgiciel est antérieures à 74.20
STMicroelectronics	ST33TPHF2ESPI	ST33TPHF2ESPI dont la version du microgiciel est antérieures à 71.16
STMicroelectronics	ST33TPHF20SPI	ST33TPHF20SPI dont la version du microgiciel est antérieures à 74.64
STMicroelectronics	ST33TPHF2ESPI	ST33TPHF2ESPI dont la version du microgiciel est antérieures à 73.20
STMicroelectronics	ST33TPHF20I2C	ST33TPHF20I2C dont la version du microgiciel est antérieures à 74.21

References

Title

Publication Time

Tags

Bulletin de sécurité STMicroelectronics

2019-11-13

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "ST33TPHF2EI2C dont la version du microgiciel est ant\u00e9rieures \u00e0 73.65",
      "product": {
        "name": "ST33TPHF2EI2C",
        "vendor": {
          "name": "STMicroelectronics",
          "scada": false
        }
      }
    },
    {
      "description": "ST33TPHF2ESPI dont la version du microgiciel est ant\u00e9rieures \u00e0 73.64",
      "product": {
        "name": "ST33TPHF2ESPI",
        "vendor": {
          "name": "STMicroelectronics",
          "scada": false
        }
      }
    },
    {
      "description": "ST33TPHF2EI2C dont la version du microgiciel est ant\u00e9rieures \u00e0 73.21",
      "product": {
        "name": "ST33TPHF2EI2C",
        "vendor": {
          "name": "STMicroelectronics",
          "scada": false
        }
      }
    },
    {
      "description": "ST33TPHF20I2C dont la version du microgiciel est ant\u00e9rieures \u00e0 74.65",
      "product": {
        "name": "ST33TPHF20I2C",
        "vendor": {
          "name": "STMicroelectronics",
          "scada": false
        }
      }
    },
    {
      "description": "ST33TPHF20SPI dont la version du microgiciel est ant\u00e9rieures \u00e0 74.20",
      "product": {
        "name": "ST33TPHF20SPI",
        "vendor": {
          "name": "STMicroelectronics",
          "scada": false
        }
      }
    },
    {
      "description": "ST33TPHF2ESPI dont la version du microgiciel est ant\u00e9rieures \u00e0 71.16",
      "product": {
        "name": "ST33TPHF2ESPI",
        "vendor": {
          "name": "STMicroelectronics",
          "scada": false
        }
      }
    },
    {
      "description": "ST33TPHF20SPI dont la version du microgiciel est ant\u00e9rieures \u00e0 74.64",
      "product": {
        "name": "ST33TPHF20SPI",
        "vendor": {
          "name": "STMicroelectronics",
          "scada": false
        }
      }
    },
    {
      "description": "ST33TPHF2ESPI dont la version du microgiciel est ant\u00e9rieures \u00e0 73.20",
      "product": {
        "name": "ST33TPHF2ESPI",
        "vendor": {
          "name": "STMicroelectronics",
          "scada": false
        }
      }
    },
    {
      "description": "ST33TPHF20I2C dont la version du microgiciel est ant\u00e9rieures \u00e0 74.21",
      "product": {
        "name": "ST33TPHF20I2C",
        "vendor": {
          "name": "STMicroelectronics",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2019-16863",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-16863"
    }
  ],
  "links": [],
  "reference": "CERTFR-2019-AVI-595",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2019-11-27T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans les TPM STMicroelectronics. Elle\npermet \u00e0 un attaquant de provoquer une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des\ndonn\u00e9es et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans les TPM STMicroelectronics",
  "vendor_advisories": [
    {
      "published_at": "2019-11-13",
      "title": "Bulletin de s\u00e9curit\u00e9 STMicroelectronics",
      "url": "https://www.st.com/content/st_com/en/campaigns/tpm-update.html"
    }
  ]
}

CERTFR-2019-AVI-595

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
STMicroelectronics	ST33TPHF2EI2C	ST33TPHF2EI2C dont la version du microgiciel est antérieures à 73.65
STMicroelectronics	ST33TPHF2ESPI	ST33TPHF2ESPI dont la version du microgiciel est antérieures à 73.64
STMicroelectronics	ST33TPHF2EI2C	ST33TPHF2EI2C dont la version du microgiciel est antérieures à 73.21
STMicroelectronics	ST33TPHF20I2C	ST33TPHF20I2C dont la version du microgiciel est antérieures à 74.65
STMicroelectronics	ST33TPHF20SPI	ST33TPHF20SPI dont la version du microgiciel est antérieures à 74.20
STMicroelectronics	ST33TPHF2ESPI	ST33TPHF2ESPI dont la version du microgiciel est antérieures à 71.16
STMicroelectronics	ST33TPHF20SPI	ST33TPHF20SPI dont la version du microgiciel est antérieures à 74.64
STMicroelectronics	ST33TPHF2ESPI	ST33TPHF2ESPI dont la version du microgiciel est antérieures à 73.20
STMicroelectronics	ST33TPHF20I2C	ST33TPHF20I2C dont la version du microgiciel est antérieures à 74.21

References

Title

Publication Time

Tags

Bulletin de sécurité STMicroelectronics

2019-11-13

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "ST33TPHF2EI2C dont la version du microgiciel est ant\u00e9rieures \u00e0 73.65",
      "product": {
        "name": "ST33TPHF2EI2C",
        "vendor": {
          "name": "STMicroelectronics",
          "scada": false
        }
      }
    },
    {
      "description": "ST33TPHF2ESPI dont la version du microgiciel est ant\u00e9rieures \u00e0 73.64",
      "product": {
        "name": "ST33TPHF2ESPI",
        "vendor": {
          "name": "STMicroelectronics",
          "scada": false
        }
      }
    },
    {
      "description": "ST33TPHF2EI2C dont la version du microgiciel est ant\u00e9rieures \u00e0 73.21",
      "product": {
        "name": "ST33TPHF2EI2C",
        "vendor": {
          "name": "STMicroelectronics",
          "scada": false
        }
      }
    },
    {
      "description": "ST33TPHF20I2C dont la version du microgiciel est ant\u00e9rieures \u00e0 74.65",
      "product": {
        "name": "ST33TPHF20I2C",
        "vendor": {
          "name": "STMicroelectronics",
          "scada": false
        }
      }
    },
    {
      "description": "ST33TPHF20SPI dont la version du microgiciel est ant\u00e9rieures \u00e0 74.20",
      "product": {
        "name": "ST33TPHF20SPI",
        "vendor": {
          "name": "STMicroelectronics",
          "scada": false
        }
      }
    },
    {
      "description": "ST33TPHF2ESPI dont la version du microgiciel est ant\u00e9rieures \u00e0 71.16",
      "product": {
        "name": "ST33TPHF2ESPI",
        "vendor": {
          "name": "STMicroelectronics",
          "scada": false
        }
      }
    },
    {
      "description": "ST33TPHF20SPI dont la version du microgiciel est ant\u00e9rieures \u00e0 74.64",
      "product": {
        "name": "ST33TPHF20SPI",
        "vendor": {
          "name": "STMicroelectronics",
          "scada": false
        }
      }
    },
    {
      "description": "ST33TPHF2ESPI dont la version du microgiciel est ant\u00e9rieures \u00e0 73.20",
      "product": {
        "name": "ST33TPHF2ESPI",
        "vendor": {
          "name": "STMicroelectronics",
          "scada": false
        }
      }
    },
    {
      "description": "ST33TPHF20I2C dont la version du microgiciel est ant\u00e9rieures \u00e0 74.21",
      "product": {
        "name": "ST33TPHF20I2C",
        "vendor": {
          "name": "STMicroelectronics",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2019-16863",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-16863"
    }
  ],
  "links": [],
  "reference": "CERTFR-2019-AVI-595",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2019-11-27T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans les TPM STMicroelectronics. Elle\npermet \u00e0 un attaquant de provoquer une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des\ndonn\u00e9es et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans les TPM STMicroelectronics",
  "vendor_advisories": [
    {
      "published_at": "2019-11-13",
      "title": "Bulletin de s\u00e9curit\u00e9 STMicroelectronics",
      "url": "https://www.st.com/content/st_com/en/campaigns/tpm-update.html"
    }
  ]
}

CNVD-2020-22697

Vulnerability from cnvd - Published: 2020-04-13

Title

STMicroelectronics ST33TPHF2ESPI TPM加密问题漏洞

Description

STMicroelectronics ST33TPHF2ESPI TPM是瑞士意法半导体（STMicroelectronics）公司的一款可信计算平台模块。 STMicroelectronics ST33TPHF2ESPI TPM 2019-09-12之前版本中存在加密问题漏洞。该漏洞源于网络系统或产品未正确使用相关密码算法，导致内容未正确加密、弱加密、明文存储敏感信息等。目前没有详细的漏洞细节提供。

Severity

低

Patch Name

STMicroelectronics ST33TPHF2ESPI TPM加密问题漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新: https://wordpress.org/plugins/igniteup/#developers

Reference

https://wordpress.org/plugins/igniteup/#developers

Impacted products

Name
STMicroelectronics ST33TPHF2ESPI TPM <2019-09-12

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-16863",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-16863"
    }
  },
  "description": "STMicroelectronics ST33TPHF2ESPI TPM\u662f\u745e\u58eb\u610f\u6cd5\u534a\u5bfc\u4f53\uff08STMicroelectronics\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u53ef\u4fe1\u8ba1\u7b97\u5e73\u53f0\u6a21\u5757\u3002\n\nSTMicroelectronics ST33TPHF2ESPI TPM 2019-09-12\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u6b63\u786e\u4f7f\u7528\u76f8\u5173\u5bc6\u7801\u7b97\u6cd5\uff0c\u5bfc\u81f4\u5185\u5bb9\u672a\u6b63\u786e\u52a0\u5bc6\u3001\u5f31\u52a0\u5bc6\u3001\u660e\u6587\u5b58\u50a8\u654f\u611f\u4fe1\u606f\u7b49\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0:\r\nhttps://wordpress.org/plugins/igniteup/#developers",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-22697",
  "openTime": "2020-04-13",
  "patchDescription": "STMicroelectronics ST33TPHF2ESPI TPM\u662f\u745e\u58eb\u610f\u6cd5\u534a\u5bfc\u4f53\uff08STMicroelectronics\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u53ef\u4fe1\u8ba1\u7b97\u5e73\u53f0\u6a21\u5757\u3002\r\n\r\nSTMicroelectronics ST33TPHF2ESPI TPM 2019-09-12\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u6b63\u786e\u4f7f\u7528\u76f8\u5173\u5bc6\u7801\u7b97\u6cd5\uff0c\u5bfc\u81f4\u5185\u5bb9\u672a\u6b63\u786e\u52a0\u5bc6\u3001\u5f31\u52a0\u5bc6\u3001\u660e\u6587\u5b58\u50a8\u654f\u611f\u4fe1\u606f\u7b49\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "STMicroelectronics ST33TPHF2ESPI TPM\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "STMicroelectronics ST33TPHF2ESPI TPM \u003c2019-09-12"
  },
  "referenceLink": "https://wordpress.org/plugins/igniteup/#developers",
  "serverity": "\u4f4e",
  "submitTime": "2019-12-17",
  "title": "STMicroelectronics ST33TPHF2ESPI TPM\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e"
}

GHSA-WG83-V62R-WH2X

Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2022-05-24 17:01

Details

Severity ?

5.9 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2019-16863"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-327"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-14T03:15:00Z",
    "severity": "MODERATE"
  },
  "details": "STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.",
  "id": "GHSA-wg83-v62r-wh2x",
  "modified": "2022-05-24T17:01:18Z",
  "published": "2022-05-24T17:01:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16863"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K32412503?utm_source=f5support\u0026amp;utm_medium=RSS"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03972en_us"
    },
    {
      "type": "WEB",
      "url": "https://support.lenovo.com/us/en/product_security/LEN-29406"
    },
    {
      "type": "WEB",
      "url": "https://www.st.com/content/st_com/en/campaigns/tpm-update.html"
    },
    {
      "type": "WEB",
      "url": "http://tpm.fail"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

BDU:2020-00800

Vulnerability from fstec - Published: 13.11.2019

Title

Уязвимость реализации алгоритма ECDSA микропрограммного обеспечения TPM-процессоров STMicroelectronics ST33, позволяющая нарушителю восстановить значение закрытых ключей, хранимых в модуле TPM (Trusted Platform Module)

Description

Уязвимость реализации алгоритма ECDSA микропрограммного обеспечения TPM-процессоров STMicroelectronics ST33 связана с использованием криптографических алгоритмов, содержащих дефекты. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно,восстановить значение закрытых ключей, хранимых в модуле TPM (Trusted Platform Module)

Severity ?


                    
                      AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Vendor

STMicroelectronics

Software Name

ST33TPHF2ESPI, ST33TPHF2EI2C, ST33TPHF20SPI, ST33TPHF20I2C

Software Version

71.0 (ST33TPHF2ESPI), 71.4 (ST33TPHF2ESPI), 71.12 (ST33TPHF2ESPI), 73.0 (ST33TPHF2ESPI), 73.4 (ST33TPHF2ESPI), 73.8 (ST33TPHF2ESPI), 73.5 (ST33TPHF2EI2C), 73.9 (ST33TPHF2EI2C), 74.0 (ST33TPHF20SPI), 74.4 (ST33TPHF20SPI), 74.8 (ST33TPHF20SPI), 74.16 (ST33TPHF20SPI), 74.5 (ST33TPHF20I2C), 74.9 (ST33TPHF20I2C)

Possible Mitigations

Использование рекомендаций: https://www.st.com/content/st_com/en/campaigns/tpm-update.html

Reference

https://www.securitylab.ru/news/502531.php https://www.st.com/content/st_com/en/campaigns/tpm-update.html https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024 https://nvd.nist.gov/vuln/detail/CVE-2019-16863

CWE

CWE-327

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:H/Au:N/C:C/I:N/A:N",
  "CVSS 3.0": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "STMicroelectronics",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "71.0 (ST33TPHF2ESPI), 71.4 (ST33TPHF2ESPI), 71.12 (ST33TPHF2ESPI), 73.0 (ST33TPHF2ESPI), 73.4 (ST33TPHF2ESPI), 73.8 (ST33TPHF2ESPI), 73.5 (ST33TPHF2EI2C), 73.9 (ST33TPHF2EI2C), 74.0 (ST33TPHF20SPI), 74.4 (ST33TPHF20SPI), 74.8 (ST33TPHF20SPI), 74.16 (ST33TPHF20SPI), 74.5 (ST33TPHF20I2C), 74.9 (ST33TPHF20I2C)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://www.st.com/content/st_com/en/campaigns/tpm-update.html",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "13.11.2019",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "04.03.2020",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "04.03.2020",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2020-00800",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2019-16863",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "ST33TPHF2ESPI, ST33TPHF2EI2C, ST33TPHF20SPI, ST33TPHF20I2C",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u0430\u043b\u0433\u043e\u0440\u0438\u0442\u043c\u0430 ECDSA \u043c\u0438\u043a\u0440\u043e\u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f TPM-\u043f\u0440\u043e\u0446\u0435\u0441\u0441\u043e\u0440\u043e\u0432 STMicroelectronics ST33, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u043e\u0441\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 \u0437\u0430\u043a\u0440\u044b\u0442\u044b\u0445 \u043a\u043b\u044e\u0447\u0435\u0439, \u0445\u0440\u0430\u043d\u0438\u043c\u044b\u0445 \u0432 \u043c\u043e\u0434\u0443\u043b\u0435 TPM (Trusted Platform Module)",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u043a\u0440\u0438\u043f\u0442\u043e\u0433\u0440\u0430\u0444\u0438\u0447\u0435\u0441\u043a\u0438\u0445 \u0430\u043b\u0433\u043e\u0440\u0438\u0442\u043c\u043e\u0432, \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0449\u0438\u0445 \u0434\u0435\u0444\u0435\u043a\u0442\u044b \u0438\u043b\u0438 \u0440\u0438\u0441\u043a\u0438 (CWE-327)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u0430\u043b\u0433\u043e\u0440\u0438\u0442\u043c\u0430 ECDSA \u043c\u0438\u043a\u0440\u043e\u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f TPM-\u043f\u0440\u043e\u0446\u0435\u0441\u0441\u043e\u0440\u043e\u0432 STMicroelectronics ST33 \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u043a\u0440\u0438\u043f\u0442\u043e\u0433\u0440\u0430\u0444\u0438\u0447\u0435\u0441\u043a\u0438\u0445 \u0430\u043b\u0433\u043e\u0440\u0438\u0442\u043c\u043e\u0432, \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0449\u0438\u0445 \u0434\u0435\u0444\u0435\u043a\u0442\u044b. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e,\u0432\u043e\u0441\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 \u0437\u0430\u043a\u0440\u044b\u0442\u044b\u0445 \u043a\u043b\u044e\u0447\u0435\u0439, \u0445\u0440\u0430\u043d\u0438\u043c\u044b\u0445 \u0432 \u043c\u043e\u0434\u0443\u043b\u0435 TPM (Trusted Platform Module)",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u0430\u043c\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://www.securitylab.ru/news/502531.php\nhttps://www.st.com/content/st_com/en/campaigns/tpm-update.html\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-16863",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041c\u0438\u043a\u0440\u043e\u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0439 \u043a\u043e\u0434",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-327",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 5,4)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 5,9)"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2019-16863 (GCVE-0-2019-16863)

FKIE_CVE-2019-16863

GSD-2019-16863

CERTFR-2019-AVI-595

Solution

CERTFR-2019-AVI-595

Solution

CNVD-2020-22697

GHSA-WG83-V62R-WH2X

BDU:2020-00800

Tags

Sightings

Nomenclature