Re: Infineon firmware security issues

[Michael Scherer]

Le mardi 17 octobre 2017 à 13:33 +0300, Eyal Edri a écrit :
> Thanks,
> 
> So if I have an old YubiKey ( 2.43 ) I shouldn't be affected right?
> only V4
> is ?

That's what the post on yubico.com seems to imply. We do not know what
chipset is used in the key, so I can't give a educated guess. But I
hear people using yubikey neo weren't affected.

Now, only the CCID function is problematic, and only if you did
generate the ssh key on the chip (e.g., followed official doc on  https
://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html and
used "yubico-piv-tool -s 9a -a generate -o public.pem" )

If you imported the key, then that should be ok.

If you use the yubikey for non smartcard use (e.g. U2F, 2FA for RH VPN
or similar system ), that's ok too.



> On Tue, Oct 17, 2017 at 12:56 PM, Marc Dequènes (Duck)
> 
> wrote:
> 
> > Quack,
> > 
> > So the news (thanks Misc for the alert):
> > 
> > https://www.infineon.com/cms/en/product/promopages/rsa-
> > update/rsa-background
> > 
> > This affects Yubikeys and other hardware:
> >   https://www.yubico.com/support/security-advisories/ysa-2017-01/
> > 
> > There's a nice tool to test if a key is vulnerable:
> >   https://github.com/crocs-muni/roca
> > 
> > I tested keys in the oVirt Puppet repository and none are affected.
> > 
> > You may check your other keys and ensure keys are checked in other
> > projects.
> > 
> > \_o<
> > 
> > 
> > ___
> > Infra mailing list
> > Infra@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/infra
> > 
> > 
> 
> 
> ___
> Infra mailing list
> Infra@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/infra
-- 
Michael Scherer
Sysadmin, Community Infrastructure and Platform, OSAS



signature.asc
Description: This is a digitally signed message part
___
Infra mailing list
Infra@ovirt.org
http://lists.ovirt.org/mailman/listinfo/infra

Re: Infineon firmware security issues

[Michael Scherer]

Le mardi 17 octobre 2017 à 13:36 +0300, Eyal Edri a écrit :
> On Tue, Oct 17, 2017 at 1:31 PM, Michael Scherer  >
> wrote:
> 
> > Le mardi 17 octobre 2017 à 18:56 +0900, Marc Dequènes (Duck) a
> > écrit :
> > > Quack,
> > > 
> > > So the news (thanks Misc for the alert):
> > > 
> > > https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa
> > > -bac
> > > kground
> > > 
> > > This affects Yubikeys and other hardware:
> > >   https://www.yubico.com/support/security-advisories/ysa-2017-01/
> > > 
> > > There's a nice tool to test if a key is vulnerable:
> > >   https://github.com/crocs-muni/roca
> > > 
> > > I tested keys in the oVirt Puppet repository and none are
> > > affected.
> > > 
> > > You may check your other keys and ensure keys are checked in
> > > other
> > > projects.
> > 
> > Ideally, if someone could verify the key in Gerrit, it would be
> > helpful. I removed mine, but I suspect i am not the only one who
> > tried
> > to follow best practices :)
> > 
> 
> If you run the tool locally on your .ssh/ dir, it should include
> already
> the public key you have on Gerrit no?

Well, I know my key is vulnerable, got notified by Fedora and Github.
But I just do not know where I used it exactly, because I have account
everywhere, and that's likely that I may forget it in some place.

> We'll need to check if its possible to run that tool on Gerrit and if
> the
> keys are even stored on the fs and not inside the Gerrit DB.

If they are in the DB, we can extract it with a sql request ILMHO.

I plan to look at Gluster's gerrit instance once I finish my own
cleanup and key generation, which is a rather tedious task (cause I
also found out that my backup key is not working anymore for a unknown
reason).

-- 
Michael Scherer
Sysadmin, Community Infrastructure and Platform, OSAS



signature.asc
Description: This is a digitally signed message part
___
Infra mailing list
Infra@ovirt.org
http://lists.ovirt.org/mailman/listinfo/infra

Re: Infineon firmware security issues

[Eyal Edri]

On Tue, Oct 17, 2017 at 1:31 PM, Michael Scherer 
wrote:

> Le mardi 17 octobre 2017 à 18:56 +0900, Marc Dequènes (Duck) a écrit :
> > Quack,
> >
> > So the news (thanks Misc for the alert):
> >
> > https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa-bac
> > kground
> >
> > This affects Yubikeys and other hardware:
> >   https://www.yubico.com/support/security-advisories/ysa-2017-01/
> >
> > There's a nice tool to test if a key is vulnerable:
> >   https://github.com/crocs-muni/roca
> >
> > I tested keys in the oVirt Puppet repository and none are affected.
> >
> > You may check your other keys and ensure keys are checked in other
> > projects.
>
> Ideally, if someone could verify the key in Gerrit, it would be
> helpful. I removed mine, but I suspect i am not the only one who tried
> to follow best practices :)
>

If you run the tool locally on your .ssh/ dir, it should include already
the public key you have on Gerrit no?
We'll need to check if its possible to run that tool on Gerrit and if the
keys are even stored on the fs and not inside the Gerrit DB.


>
>
> Debian, Github and Fedora did sent alert to people affected, and I am
> in the process of changing my key from the 50 to 60 place where I used
> it and I assume most affected people will be aware somehow, but
> automated removal from vulnerable systems would surely help.
>
> --
> Michael Scherer
> Sysadmin, Community Infrastructure and Platform, OSAS
>
>
> ___
> Infra mailing list
> Infra@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/infra
>
>


-- 

Eyal edri


MANAGER

RHV DevOps

EMEA VIRTUALIZATION R


Red Hat EMEA 
 TRIED. TESTED. TRUSTED. 
phone: +972-9-7692018
irc: eedri (on #tlv #rhev-dev #rhev-integ)
___
Infra mailing list
Infra@ovirt.org
http://lists.ovirt.org/mailman/listinfo/infra

Re: Infineon firmware security issues

[Eyal Edri]

Thanks,

So if I have an old YubiKey ( 2.43 ) I shouldn't be affected right? only V4
is ?

On Tue, Oct 17, 2017 at 12:56 PM, Marc Dequènes (Duck) 
wrote:

> Quack,
>
> So the news (thanks Misc for the alert):
>
> https://www.infineon.com/cms/en/product/promopages/rsa-
> update/rsa-background
>
> This affects Yubikeys and other hardware:
>   https://www.yubico.com/support/security-advisories/ysa-2017-01/
>
> There's a nice tool to test if a key is vulnerable:
>   https://github.com/crocs-muni/roca
>
> I tested keys in the oVirt Puppet repository and none are affected.
>
> You may check your other keys and ensure keys are checked in other
> projects.
>
> \_o<
>
>
> ___
> Infra mailing list
> Infra@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/infra
>
>


-- 

Eyal edri


MANAGER

RHV DevOps

EMEA VIRTUALIZATION R


Red Hat EMEA 
 TRIED. TESTED. TRUSTED. 
phone: +972-9-7692018
irc: eedri (on #tlv #rhev-dev #rhev-integ)
___
Infra mailing list
Infra@ovirt.org
http://lists.ovirt.org/mailman/listinfo/infra

Re: Infineon firmware security issues

[Michael Scherer]

Le mardi 17 octobre 2017 à 18:56 +0900, Marc Dequènes (Duck) a écrit :
> Quack,
> 
> So the news (thanks Misc for the alert):
> 
> https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa-bac
> kground
> 
> This affects Yubikeys and other hardware:
>   https://www.yubico.com/support/security-advisories/ysa-2017-01/
> 
> There's a nice tool to test if a key is vulnerable:
>   https://github.com/crocs-muni/roca
> 
> I tested keys in the oVirt Puppet repository and none are affected.
> 
> You may check your other keys and ensure keys are checked in other
> projects.

Ideally, if someone could verify the key in Gerrit, it would be
helpful. I removed mine, but I suspect i am not the only one who tried
to follow best practices :)


Debian, Github and Fedora did sent alert to people affected, and I am
in the process of changing my key from the 50 to 60 place where I used
it and I assume most affected people will be aware somehow, but
automated removal from vulnerable systems would surely help. 

-- 
Michael Scherer
Sysadmin, Community Infrastructure and Platform, OSAS



signature.asc
Description: This is a digitally signed message part
___
Infra mailing list
Infra@ovirt.org
http://lists.ovirt.org/mailman/listinfo/infra