Security experts have discovered a new vulnerability, tracked as CVE-2017-15361. An exploit called ROCA is the Return of Coppersmith’s Attack (allowing the users private keys to be recovered in breaking encryption).  A vulnerability testing tool has also been developed

While security experts are discussing the dreaded KRACK attack against WiFi networks IT giants, including Fujitsu, Google, HP, Lenovo, and Microsoft are warning their customers of a severe flaw in widely used RSA cryptographic library produced by German semiconductor manufacturer Infineon Technologies. The vulnerability, tracked as CVE-2017-15361, affects the implementation of RSA key pair generation by Infineon’s Trusted Platform Module (TPM).

Infineon TPM is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices and helps to shield against unauthorized access to the data stored by improving the system integrity. The vulnerability in Infineon’s Trusted Platform Module (TPM), dubbed ROCA (Return of Coppersmith’s Attack), was discovered by security researchers at Masaryk University in the Czech Republic.

The researchers published the details of the ROCA vulnerability in a blog post and also published a tool online that could be used to test if RSA keys are vulnerable to this dangerous flaw.The ROCA attack works against differed key lengths, including 1024 and 2048 bits, which is widely used for differed applications, including the national identity cards and message protection like PGP.

“The actual impact of the vulnerability depends on the usage scenario, availability of the public keys and the lengths of keys used. We found and analyzed vulnerable keys in various domains including electronic citizen documents, authentication tokens, trusted boot devices, software package signing, TLS/HTTPS keys and PGP.” said the researchers. “The currently confirmed number of vulnerable keys found is about 760,000 but possibly up to two to three magnitudes more are vulnerable. The details will be presented in two weeks at the ACM CCS conference.