Hardware Appliance 3.9.2 Release Notes
NOVEMBER 2021
This maintenance release resolves a security issue when using smart cards to additionally secure key material in PKCS#11 R2 mode.
Security Issue
Slots Configured for Smartcard Authentication can be Activated by Password Alone
When using smart card activated slots or when a smart card is required to start the application on PKCS#11 R2 mode, the internal HSM was insecurely configured in prior firmware releases.
The insecure configuration of the HSM means that the HSM did not enforce the smart card requirement and that only the authentication code was checked. In recent Hardware Appliance firmware versions, the smart card check can be circumvented (while the correct authentication code is still required).
To check the PKCS#11 variant and HSM smart card activations of your installation, navigate to the Hardware Appliance WebConf HSM tab. The overview displays the PKCS#11 Variant used and if HSM Smart Card Activations is enabled for one of the slots or for boot, see HSM.
Severity
- High - correct authentication code is still required.
Two weeks after the release of Hardware Appliance 3.9.2 this issue will be reported as a CVE.
Who is not affected
- Installations that use PKCS#11 R1 are not affected.
- Installations that neither use smart cards for activating slots nor on boot or application start are not affected.
- Installations that use smart cards only for backup encryption by using a Master Backup Key (MBK) are not affected.
To check the PKCS#11 variant and HSM smart card activations of your installation, navigate to the Hardware Appliance WebConf HSM tab.
Who is potentially affected
Smart card activated slots in PKCS#11 R2 mode have been supported since 3.3.0, all of these versions are affected.
To check the PKCS#11 variant and HSM smart card activations of your installation, navigate to the Hardware Appliance WebConf HSM tab.
Mitigation
To resolve the issue, Hardware Appliance version 3.9.2 or later must be installed, and then the HSM must be reconfigured. The HSM is reconfigured using the WebConf Wizard options to restore system from backup, or connect to cluster.
Recommended Upgrade Steps
To upgrade a single standalone node:
- Take a backup.
- Perform an external erase and reboot.
- Use the WebConf Wizard Update option to upgrade to software ≥3.9.2.
- Use the WebConf Wizard Restore system from backup option to restore the previously created backup (see Restore System from Backup).
To upgrade a cluster of nodes, the following upgrade steps should be executed one node at a time:
- Ensure all nodes are connected to each other and active.
- For one node at a time:
- Perform an external erase and reboot.
- Use the WebConf Wizard Update option to upgrade to software ≥3.9.2.
- Download the Cluster Setup Bundle from another node.
- Use the WebConf Wizard Connect to Cluster option on the node in question and upload the Cluster Setup Bundle (see Connect to cluster).
- Continue with updating your cluster by performing steps 1 and 2 on the next cluster node until all remaining nodes are upgraded.
How to check if the fix is applied
In WebConf, navigate to Platform, click the Support tab and create and download a Support Package. If the Support Package contains the file vhsm_cmds.cfg
, the Hardware Appliance is not vulnerable. In clusters, each node has to be checked individually.
Within EJBCA, even with the fix applied, you may still be able to activate crypto tokens without entering the required smart cards. However, existing keys cannot be used and new keys cannot be created.