Summary
Article explaining the external security penetration analysis and report on the Entrust nShield network-attached HSMs.
The penetration testers developed a method to attack nShield Connect XC network-attached HSM appliances and reported this to Entrust in line with responsible disclosure principles. This gave us the opportunity to confirm their findings and address the issues for our customers prior to the results being made public. Entrust followed its responsible vulnerability management process to triage the issues and publish software updates to mitigate the issue for customers.
It’s important to note that while the testers’ proof of concept attack focused on the USB port on the front panel, enabling access to the nShield server appliance, they did not access the embedded HSM nor the cryptographic keys in the HSM.
Entrust has provided a software update and guidance to mitigate this kind of attack, available to customers in the nShield support portal .
There are several factors that mitigate this issue for users of these appliances:
- Apply software update issued by Entrust. Applying the latest software update prevents the use of the USB port as described in the penetration test.
- HSM remains secure : These issues do not permit login to or execution of unauthorized code on the embedded HSM PCIe card inside the appliance. The confidentiality and integrity of critical security parameters, including cryptographic keys, in the HSM remain fully protected.
- Requires physical access to the device : The vulnerability cannot be exploited remotely. To carry out the exploit requires direct, hands-on, physical access and the time to carry out the manipulation of the appliance.
- No known exploit : To date, Entrust has not received any reports of the vulnerability being exploited among its customers.
- Deployed in secure environments: nShield HSMs are designed to be deployed in physically secure environments, as mandated by FIPS 140-2, FIPS 140-3, Common Criteria, prevailing market security standards, and Entrust’s own product recommendations. Installing and operating the appliance within such protected environments significantly mitigates the risk of any physical compromise.
- New devices are not affected: New nShield 5c and nShield XC units shipped have the software update applied to mitigate this exploit.
Entrust takes vulnerabilities, including those reported by independent researchers, seriously and has prepared customers to avoid unauthorized access to their appliances. Customers should note the following and take appropriate action:
- Apply the latest software update for the affected nShield HSMs. Go to the support portal at https://nshieldsupport.entrust.com for information and instructions.
- Review our latest Security Advisory in the support portal for additional guidance on how to confirm appliance security.
- All new units shipping from our manufacturing sites have this update applied.
If you have any concerns or seek additional guidance on this issue, please feel to contact your local Entrust Salesperson or partner.