Strix
26.1K

CVE-2021-3011

MEDIUMCVSS 4.2/10EPSS 0.20%

Last modified

CVE-2021-3011 is a medium-severity vulnerability rated 4.2/10 on the CVSS scale. An electromagnetic-wave side-channel issue was discovered on NXP SmartMX / P5x security microcontrollers and A7x secure authentication microcontrollers, with CryptoLib through v2.9. It allows attackers to extract the ECDSA private key after extensive physical access (and consequently produce a clone). EPSS estimates a 0.20% chance of exploitation in the next 30 days.

Description

An electromagnetic-wave side-channel issue was discovered on NXP SmartMX / P5x security microcontrollers and A7x secure authentication microcontrollers, with CryptoLib through v2.9. It allows attackers to extract the ECDSA private key after extensive physical access (and consequently produce a clone). This was demonstrated on the Google Titan Security Key, based on an NXP A7005a chip. Other FIDO U2F security keys are also impacted (Yubico YubiKey Neo and Feitian K9, K13, K21, and K40) as well as several NXP JavaCard smartcards (J3A081, J2A081, J3A041, J3D145_M59, J2D145_M59, J3D120_M60, J3D082_M60, J2D120_M60, J2D082_M60, J3D081_M59, J2D081_M59, J3D081_M61, J2D081_M61, J3D081_M59_DF, J3D081_M61_DF, J3E081_M64, J3E081_M66, J2E081_M64, J3E041_M66, J3E016_M66, J3E016_M64, J3E041_M64, J3E145_M64, J3E120_M65, J3E082_M65, J2E145_M64, J2E120_M65, J2E082_M65, J3E081_M64_DF, J3E081_M66_DF, J3E041_M66_DF, J3E016_M66_DF, J3E041_M64_DF, and J3E016_M64_DF).

Metrics

CVSS 3.1
4.2/10

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability
0.20%

9.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
FtsafeK13All versions
FtsafeK21All versions
FtsafeK40All versions
FtsafeK9All versions
GoogleTitan Security KeyAll versions
Nxp3a081All versions
NxpA7005aAll versions
NxpJ2a081All versions
NxpJ2d081 M59All versions
NxpJ2d081 M61All versions
NxpJ2d082 M60All versions
NxpJ2d120 M60All versions
NxpJ2d145 M59All versions
NxpJ2e081 M64All versions
NxpJ2e082 M65All versions
NxpJ2e120 M65All versions
NxpJ2e145 M64All versions
NxpJ3a041All versions
NxpJ3d081 M59All versions
NxpJ3d081 M59 DfAll versions
NxpJ3d081 M61All versions
NxpJ3d081 M61 DfAll versions
NxpJ3d082 M60All versions
NxpJ3d120 M60All versions
NxpJ3d145 M59All versions
NxpJ3e016 M64All versions
NxpJ3e016 M64 DfAll versions
NxpJ3e016 M66All versions
NxpJ3e016 M66 DfAll versions
NxpJ3e041 M64All versions
NxpJ3e041 M64 DfAll versions
NxpJ3e041 M66All versions
NxpJ3e041 M66 DfAll versions
NxpJ3e081 M64All versions
NxpJ3e081 M64 DfAll versions
NxpJ3e081 M66All versions
NxpJ3e081 M66 DfAll versions
NxpJ3e082 M65All versions
NxpJ3e120 M65All versions
NxpJ3e145 M64All versions
NxpP5010All versions
NxpP5020All versions
NxpP5021All versions
NxpP5040All versions
YubicoYubikey NeoAll versions

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2021-3011?
An electromagnetic-wave side-channel issue was discovered on NXP SmartMX / P5x security microcontrollers and A7x secure authentication microcontrollers, with CryptoLib through v2.9. It allows attackers to extract the ECDSA private key after extensive physical access (and consequently produce a clone). This was demonstrated on the Google Titan Security Key, based on an NXP A7005a chip. Other FIDO U2F security keys are also impacted (Yubico YubiKey Neo and Feitian K9, K13, K21, and K40) as well as several NXP JavaCard smartcards (J3A081, J2A081, J3A041, J3D145_M59, J2D145_M59, J3D120_M60, J3D082_M60, J2D120_M60, J2D082_M60, J3D081_M59, J2D081_M59, J3D081_M61, J2D081_M61, J3D081_M59_DF, J3D081_M61_DF, J3E081_M64, J3E081_M66, J2E081_M64, J3E041_M66, J3E016_M66, J3E016_M64, J3E041_M64, J3E145_M64, J3E120_M65, J3E082_M65, J2E145_M64, J2E120_M65, J2E082_M65, J3E081_M64_DF, J3E081_M66_DF, J3E041_M66_DF, J3E016_M66_DF, J3E041_M64_DF, and J3E016_M64_DF).
How severe is CVE-2021-3011?
CVE-2021-3011 has a CVSS score of 4.2/10 (MEDIUM severity). The EPSS model estimates a 0.20% probability of exploitation in the next 30 days.
How do I fix CVE-2021-3011?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-3011?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST