CVE-2020-12061

CRITICAL

Nitrokey Fido U2f Firmware - Insufficiently Protected Credentials

Title source: rule

Description

An issue was discovered in Nitrokey FIDO U2F firmware through 1.1. Communication between the microcontroller and the secure element transmits credentials in plain. This allows an adversary to eavesdrop the communication and derive the secrets stored in the microcontroller. As a result, the attacker is able to arbitrarily manipulate the firmware of the microcontroller.

References (4)

[Third Party Advisory] https://cwe.mitre.org/data/definitions/523.html

[Exploit, Third Party Advisory] https://eprint.iacr.org/2021/640.pdf

[Patch, Third Party Advisory] https://github.com/Nitrokey/nitrokey-fido-u2f-firmware/commits/master

View Patch ZIP pw:eip

[Third Party Advisory] https://github.com/Nitrokey/nitrokey-fido-u2f-firmware/releases

Scores

CVSS v3 9.8

EPSS 0.0043

EPSS Percentile 62.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-522

Status published

Affected Products (1)

nitrokey/fido_u2f_firmware < 1.1

Timeline

Published May 21, 2021

Tracked Since Feb 18, 2026