SA-002: Potential Extraction of an Elliptic Curve Cryptography (ECC) private key via a side-channel attack against ECDSA
Vulnerability Type: Observable Timing Discrepancy
Affected Product(s): NPCT75x with Firmware versions 188.8.131.52, 184.108.40.206 and 220.127.116.11
Fixed Product(s): Firmware version: 18.104.22.168. Firmware updates are available from system OEMs.
Attack Type: Physical
Impact: Information Disclosure
Affected Components: Elliptic Curve Digital Signature Algorithm (ECDSA) signature
Attack Vector: An attacker with physical access to Nuvoton Trusted Platform Module NPCT75x (7.2.x before 22.214.171.124) could extract an Elliptic Curve Cryptography (ECC) private key via a side-channel attack against ECDSA, because of an Observable Timing Discrepancy.
Detailed Description: Same as “Attack Vector”.
Research presented at http://tpm.fail
Common Criteria ITSEF: Serma Safety & Technology
Researcher: Antonio de la Piedra
CVE Identifier: CVE-2020-25082