lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5ADAEC88.3030403@security-explorations.com>
Date: Sat, 21 Apr 2018 09:47:20 +0200
From: Security Explorations <contact@...urity-explorations.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: [FD] [SE-2011-01] The origin and impact of vulnerabilities in ST
	chipsets


Hello All,

We have published an initial document describing the origin and impact
of the vulnerabilities discovered in ST chipsets along some rationale
indicating why it's worth to dig further into this case:

http://www.security-explorations.com/materials/se-2011-01-st-impact.pdf

This document is a work in progress. As such, it will be updated once
new information is acquired regarding the impact of the issues found.

ST vulnerabilities are still a mystery to many and we keep receiving
inquiries about them regardless of the fact that almost 6 years had
passed since the disclosure. STMicroelectronics, although out of STB
and DVB chipset business, has not provided us with any details regarding
the impact of the issues found.

We have reasons to believe that vulnerable IP (TKD Crypto core of STi7111
SoC) might be part of other ST chipsets and/or part of other vendors'
solutions, not necessarily related to PayTV industry (e-passports, banking
cards and SIM cards).

We have reasons to believe that ST actions were aimed to hide the impact
of the issues found, that company's shareholders were not aware of these
vulnerabilities, their impact and associated liabilities. We have reasons
to believe that the issues have not been resolved up to this day.

In Mar 2018, we asked CERT-FR (French governmental CSIRT) and IT-CERT
(CERT Nazionale Italia) for assistance aimed at obtaining information
from STMicroelectronics regarding security issues found in their chipsets
(ST is a French-Italian company and both French and Italian governments
hold 13.8% of its stake each). For some unknown reason, both CERTs have
stopped responding to our messages [1]. We are still to hear from US-CERT.

Over the last 20+ years, we have been dealing with various vendors and
ecosystems (desktop, cloud, mobile, etc.). The case of STMicroelectronics
vulnerabilities is however truly unique as we have never met with such
a persistent and long-term refusal to provide information pertaining to
the impact and addressing of security vulnerabilities found.

The usual "crisis management" conducted by vendors for disclosures of high
impact flaws involve carefully-worded statements indicating that the issues
affect older products only or in case of low / limited impact flaws, a 
vendor
usually publishes a list of vulnerable products to clearly emphasize the
low nature of the issues found.

ST refusal to provide any information pertaining to the impact of the flaws
found in its chipsets can be perceived in terms of intentionally hiding the
impact of a much larger magnitude than anticipated by the reporting party,
customers or the public. It could be that these actions are aimed at 
avoiding
the liabilities associated with manufacturing flawed products, the costs of
their recalls and/or replacements.

ST has all the means to end any speculation pertaining to the nature of the
issues found in its chipsets and their impact by simply delivering clear
impact information to general public (vulnerable chipset models, whether
vulnerable IP is used in other products, possible remediation steps, etc).

Security Explorations will continue engaging various entities such as 
US-CERT
in a goal to acquire accurate information pertaining to the impact and 
addressing
of ST vulnerabilities. The newly published document and our SE-2011-01 
Vendor
Status page will reflect any new information acquired and the steps taken to
obtain it.

We are also ready to release to the public all unpublished bits 
pertaining to
our research of ST chipsets such as SRP-2018-01 [2] material if deemed 
necessary.

Thank you.

Best Regards,
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to a new level"
---------------------------------------------

References:
[1] SE-2011-01 Vendors status
     http://www.security-explorations.com/en/SE-2011-01-status.html
[2] SRP-2018-01 Reverse engineering tools for ST DVB chipsets
     http://www.security-explorations.com/materials/SRP-2018-01.pdf


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ