lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 17 Jun 2021 09:08:47 +0200
From: Matthias Deeg <matthias.deeg@...s.de>
To: <fulldisclosure@...lists.org>
Subject: [FD] [SYSS-2021-007]: Protectimus SLIM NFC - External Control of
 System or Configuration Setting (CWE-15) (CVE-2021-32033)

Advisory ID: SYSS-2021-007
Product: Protectimus SLIM NFC
Manufacturer: Protectimus
Affected Version(s): Hardware Scheme 70 / Software Version 10.01
Tested Version(s): Hardware Scheme 70 / Software Version 10.01
Vulnerability Type: External Control of System or Configuration Setting
(CWE-15)
                    "Time Traveler Attack"
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2021-02-04
Solution Date: -
Public Disclosure: 2021-06-16
CVE Reference: CVE-2021-32033
Author of Advisory: Matthias Deeg (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Protectimus SLIM NFC is a reprogrammable time-based one-time password
(TOTP) hardware token.

The manufacturer describes the product as follows (see [1]):

"
Protectimus SLIM mini is a new generation of reprogrammable TOTP
hardware tokens. They can be used in 2FA systems based on OATH
standards, and easily reflashed using an application installed on your
NFC-capable Android smartphone. It allows the user to determine the
OTP’s expires (30 or 60 seconds), and also set up a secret key.
"

Due to a design error, the time (internal real-time clock) of the
Protectimus SLIM TOTP hardware token can be set independently from the
used seed (secret key) for generating one-time passwords without any
required authentication.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

When analyzing the Protectimus SLIM TOTP hardware token, Matthias Deeg
found out that the time used by the Protectimus SLIM TOTP hardware token
can be set independently from the used seed value for generating
time-based one-time passwords without requiring any authentication.

Thus, an attacker with short-time physical access to a Protectimus SLIM
token can set the internal real-time clock (RTC) to the future,
generate one-time passwords, and reset the clock to the current time.

This allows for generating valid future time-based one-time passwords
without having further access to the hardware token.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

For demonstrating the time traveler attack exploiting the described
security vulnerability, Matthias Deeg developed a Lua script for the
Proxmark3 [2].

The following output exemplarily shows a successful attack for
generating a valid future one-time password for an attacker-chosen point
in time against a vulnerable Protectimus SLIM TOTP hardware token:

[usb] pm3 --> script run hf_14a_protectimus_nfc -t 2021-03-14T13:37:00+01:00
[+] executing lua
/home/matt/research/proxmark3/client/luascripts/hf_14a_protectimus_nfc.lua
[+] args '-t 2021-03-14T13:37:00+01:00'
[+] Found token with UID 3F10000323540E
[+] Set Unix time 1615725420
[!] Please power the token and press <ENTER>

[+] The future OTP on 2021-03-14T13:37:00+01:00 (1615725420) is 303831
[+] Set Unix time 1612451460

[+] finished hf_14a_protectimus_nfc


A SySS proof of concept video illustrating this security Vulnerability
is available on our SySS Pentest TV YouTube channel [5].

The developed Lua script for Proxmark3 is available on our GitHub
site [6].

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

SySS is not aware of a solution for the described security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2021-02-04: Vulnerability reported to manufacturer
2021-02-04: Manufacturer acknowledges receipt of security advisory and
            asks for further information
2021-02-05: SySS provides further information to manufacturer
2021-06-16: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Protectimus SLIM NFC
    https://www.protectimus.com/protectimus-slim-mini/
[2] Proxmark3 GitHub repository by the RFID Research Group
    https://github.com/RfidResearchGroup/proxmark3
[3] SySS Security Advisory SYSS-2021-007

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-007.txt
[4] SySS GmbH, SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy
[5] SySS Proof of Concept Video: To the Future and Back - Attacking a
TOTP Hardware Token
    https://www.youtube.com/watch?v=C0pM6TIyvXI
[6] Protectimus SLIM NFC Lua script for Proxmark3
    https://github.com/SySS-Research/protectimus-slim-proxmark3

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Matthias Deeg of SySS GmbH.

E-Mail: matthias.deeg (at) syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en


Download attachment "OpenPGP_signature" of type "application/pgp-signature" (841 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists