MidnightBSD

Advisories for ncipher

CVE-2001-0081 MEDIUM

swinit in nCipher does not properly disable the Operator Card Set recovery feature even when explicitly disabled by the user, which could allow attackers to gain access to application keys.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ncipher ncipher *
CVE-2002-0939 MEDIUM

The Install Wizard for nCipher MSCAPI CSP 5.50 does not use Operator Card Set protected keys when the user requests them but does not generate the Operator Card Set, which results in a lower protection level than specified by the user (module protection only).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ncipher mscapi_csp 5.50
ncipher mscapi_csp 5.54
CVE-2002-0940 MEDIUM

domesticinstall.exe for nCipher MSCAPI CSP 5.50 and 5.54 does not use Operator Card Set protected keys when the user requests them but does not generate the Operator Card Set, which results in a lower protection level than specified by the user (module protection only).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ncipher mscapi_csp 5.50
ncipher mscapi_csp 5.54
CVE-2002-0941 MEDIUM

The ConsoleCallBack class for nCipher running under JRE 1.4.0 and 1.4.0_01, as used by the TrustedCodeTool and possibly other applications, may leak a passphrase when the user aborts an application that is prompting for the passphrase, which could allow attackers to gain privileges.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ncipher nforce *
ncipher nshield *
CVE-2002-1446 MEDIUM

The error checking routine used for the C_Verify call on a symmetric verification key in the nCipher PKCS#11 library 1.2.0 and later returns the CKR_OK status even when it detects an invalid signature, which could allow remote attackers to modify or forge messages.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ncipher pkcs_11_library 1.2.0
CVE-2003-1417 MEDIUM

nCipher Support Software 6.00, when using generatekey KeySafe to import keys, does not delete the temporary copies of the key, which may allow local users to gain access to the key by reading the (1) key.pem or (2) key.der files.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-255,

Products Affected

Vendor Product Version
ncipher support_software 6.00
CVE-2004-0063 HIGH

The SPP_VerifyPVV function in nCipher payShield SPP library 1.3.12, 1.5.18 and 1.6.18 returns a Status_OK value even if the HSM returns a different status code, which could cause applications to make incorrect security-critical decisions, e.g. by accepting an invalid PIN number.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ncipher payshield_spp_library 1.3.12
ncipher payshield_spp_library 1.5.18
ncipher payshield_spp_library 1.6.18
CVE-2004-0320 LOW

Unknown vulnerability in nCipher Hardware Security Modules (HSM) 1.67.x through 1.99.x allows local users to access secrets stored in the module's run-time memory via certain sequences of commands.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ncipher nshield 2.12
ncipher nshield 1.71.15
ncipher nshield 1.71.90
ncipher nshield 1.77.93
ncipher nshield 2.0
ncipher nshield 2.0.4
ncipher nshield 1.71.11
ncipher nshield 1.75.15
ncipher nshield 1.77.9
ncipher nshield 1.79.81
ncipher nshield 1.77.97
ncipher nshield 1.79.12
ncipher nshield 1.79.80
ncipher nshield 2.12.2
CVE-2006-1115 LOW

nCipher HSM before 2.22.6, when generating a Diffie-Hellman public/private key pair without any specified DiscreteLogGroup parameters, chooses random parameters that could allow an attacker to crack the private key in significantly less time than a brute force attack.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ncipher chil *
ncipher mscapi_csp 5.50
ncipher mscapi_csp 5.54
ncipher ncipher_software_cd *
CVE-2006-1116 MEDIUM

The CBC-MAC integrity functions in the nCipher nCore API before 2.18 transmit the initialization vector IV as part of a message when the implementation uses a non-zero IV, which allows remote attackers to bypass integrity checks and modify messages without being detected.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ncipher ncore 2.17
CVE-2006-1117 LOW

nCipher firmware before V10, as used by (1) nShield, (2) nForce, (3) netHSM, (4) payShield, (5) SecureDB, (6) DSE200 Document Sealing Engine, (7) Time Source Master Clock (TSMC), and possibly other products, contains certain options that were only intended for testing and not production, which might allow remote attackers to obtain information about encryption keys and crack those keys with less effort than brute force.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ncipher nethsm 2.0
ncipher nethsm 2.1.12_cam5
ncipher ncore *
ncipher dse200_document_sealing_engine *
ncipher nforce *
ncipher nethsm 2.1
ncipher securedb *
ncipher payshield *
ncipher nshield *
ncipher time_source_master_clock *