Credential, key, and source disclosure in Thales products (formerly Gemalto or Safenet)

Categories: [Security]

Overview

ProtectV and KeySecure "Next Generation" VM images include credentials for AWS EC2, ECR, and SES, DataDog API, and New Relic API license key. Several CA keys are also included.

Multiple AWS EC2 credentials had near-admin rights, potentially allowing malicious changes to the dev, build, and prod environments for several products. I don't believe logging was enabled, or if it was, nobody was reading the logs.

Source code and build environments for several products are also included in the build images, despite not being needed for the product. (For example, Docker containers included with ProtectV 4.7.3 even though that version doesn't use containers.)

By combining these issues with CVE-2021-XXXX an atacker could create a malicious Keysecure HSM to mount man-in-the-middle or DNS attacks, or review the source further to identify undiscovered vulnerabilities.

Note that I no longer have access to downloads for these products, and cannot verify if the credentials were removed or just changed.

Affected products

• ProtectV 3.5 through 4.10.0
• KeySecure "Next Generation" (all versions)
• Ciphertrust Manager before 2.4
• NCryptify

Vulnerability ID

CVE-2021-xxxxx (Waiting for number assignment by Thales)

Impact

• Malicious users could have made changes to the Thales build environment without detection.
• An attacker could create a malicious HSM to capture keys or credentials.
• Source code for several products can be reviewed for further vulnerabilities.

Timeline

• 1/19/2021: Initial report to Thales PSIRT, received response
• 4/9/2021: Emailed again for follow-up. Note that at least the AWS admin credentials were still valid at this point.
• 4/12/2021: Thales responded that they'll follow up with the related team and provide status
• 4/19/2021: Thales responds and verifies vulnerability
• 4/19/2021: Emailed Thales and requested timeframe
• 6/3/2021: Emailed again for follow-up
• 6/17/2021: Emailed again for follow-up
• 6/17/2021: Thales responds that they'll get status and respond the next day
• 6/22/2021: Emailed again for follow-up.
• 6/28/2021: Thales responds that they are escalating the issue with the related team for urgent status.
• 6/30/2021: Thales responds that a security advisory was published on May 5 on their customer-only portal. I no longer have access to the customer portal, so I cannot verify this.
• 7/1/2021-7/5/2021: Discussion around who applies for the CVE ID. Thales offers to request the ID.