HID Global’s Response to the Infineon Trusted Platform Module Vulnerability

ymassard@hidglobal.com's picture

On October 16th 2017, the NIST National Vulnerability Database added entry CVE-2017-15361 describing a bug in an Infineon RSA library used in many Trusted Platform Modules and smart cards currently in use. This vulnerability would possibly allow discovery of private RSA keys, even without possession of your smart card or TPM.  From there, the attacker would be able to impersonate you and/or decrypt your data.

Upon learning of this vulnerability, HID Global performed a thorough analysis of our product portfolio and can confirm that our Crescendo smart card product lines, as well as our ActivKey SIM USB dongles are not affected by CVE-2017-15361.  This includes the Crescendo 1100, 1150, 1300, Crescendo 144K FIPS and Crescendo PIV smart cards.  Additionally, legacy & EOL cards sold under the ActivIdentity brand including ActivIdentity 64K, 80K and 114K smart cards are not affected. 

For anyone using HID Global credential management products, such as ActivID® CMS or ActivID ActivClient®, together with third-party credentials (e.g. third-party smart cards, virtual smart cards based on TPMs), we advise that you contact your specific 3rd party credential vendor regarding their position on this vulnerability.

For our customers, HID sales representatives and our technical support team stand ready to address any questions raised on the matter and discuss recommended best practices to keep your digital security current.

For more information on our Crescendo smart card portfolio, visit https://www.hidglobal.com/product-display/cards-and-credentials/crescendo