CVE-2021-3011 Information

Description

An electromagnetic-wave side-channel issue was discovered on NXP SmartMX / P5x security microcontrollers and A7x secure authentication microcontrollers with CryptoLib through v2.9. It allows attackers to extract the ECDSA private key after extensive physical access (and consequently produce a clone). This was demonstrated on the Google Titan Security Key based on an NXP A7005a chip. Other FIDO U2F security keys are also impacted (Yubico YubiKey Neo and Feitian K9 K13 K21 and K40) as well as several NXP JavaCard smartcards (J3A081 J2A081 J3A041 J3D145_M59 J2D145_M59 J3D120_M60 J3D082_M60 J2D120_M60 J2D082_M60 J3D081_M59 J2D081_M59 J3D081_M61 J2D081_M61 J3D081_M59_DF J3D081_M61_DF J3E081_M64 J3E081_M66 J2E081_M64 J3E041_M66 J3E016_M66 J3E016_M64 J3E041_M64 J3E145_M64 J3E120_M65 J3E082_M65 J2E145_M64 J2E120_M65 J2E082_M65 J3E081_M64_DF J3E081_M66_DF J3E041_M66_DF J3E016_M66_DF J3E041_M64_DF and J3E016_M64_DF).

CVSS Vector

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

https://ninjalab.io/wp-content/uploads/2021/01/a_side_journey_to_titan.pdf https://ninjalab.io/a-side-journey-to-titan/

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

4.2